From ab52fd858a731d96a88b3cab00191a507edd8ed2 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Fri, 28 Feb 2025 12:35:21 -0700
Subject: [PATCH] Deprecate ChannelDecisionManager

Closes gh-16681
---
 .../security/web/access/channel/ChannelDecisionManager.java   | 4 ++++
 .../web/access/channel/ChannelDecisionManagerImpl.java        | 4 ++++
 .../security/web/access/channel/ChannelProcessingFilter.java  | 2 ++
 .../security/web/access/channel/ChannelProcessor.java         | 4 ++++
 .../security/web/access/channel/InsecureChannelProcessor.java | 4 ++++
 .../security/web/access/channel/SecureChannelProcessor.java   | 4 ++++
 6 files changed, 22 insertions(+)

diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManager.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManager.java
index 3dace42b1e1..71f3091d4e1 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManager.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManager.java
@@ -23,12 +23,16 @@
 
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
  * Decides whether a web channel provides sufficient security.
  *
  * @author Ben Alex
+ * @deprecated no replacement is planned, though consider using a custom
+ * {@link RequestMatcher} for any sophisticated decision-making
  */
+@Deprecated
 public interface ChannelDecisionManager {
 
 	/**
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImpl.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImpl.java
index 5685c650666..1d9f05f65c4 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImpl.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelDecisionManagerImpl.java
@@ -26,6 +26,7 @@
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
 /**
@@ -44,7 +45,10 @@
  * channel processors will be skipped (see SEC-494, SEC-335).
  *
  * @author Ben Alex
+ * @deprecated no replacement is planned, though consider using a custom
+ * {@link RequestMatcher} for any sophisticated decision-making
  */
+@Deprecated
 public class ChannelDecisionManagerImpl implements ChannelDecisionManager, InitializingBean {
 
 	public static final String ANY_CHANNEL = "ANY_CHANNEL";
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
index 1f4fd2a7832..b14ae3bd474 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
@@ -83,7 +83,9 @@
  * over HTTPS.
  *
  * @author Ben Alex
+ * @deprecated see {@link org.springframework.security.web.transport.HttpsRedirectFilter}
  */
+@Deprecated
 public class ChannelProcessingFilter extends GenericFilterBean {
 
 	private ChannelDecisionManager channelDecisionManager;
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessor.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessor.java
index 07e27769c45..56ab0f262be 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessor.java
@@ -23,6 +23,7 @@
 
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
  * Decides whether a web channel meets a specific security condition.
@@ -34,7 +35,10 @@
  * themselves. The callers of the implementation do not take any action.
  *
  * @author Ben Alex
+ * @deprecated no replacement is planned, though consider using a custom
+ * {@link RequestMatcher} for any sophisticated decision-making
  */
+@Deprecated
 public interface ChannelProcessor {
 
 	/**
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/InsecureChannelProcessor.java b/web/src/main/java/org/springframework/security/web/access/channel/InsecureChannelProcessor.java
index dbf23df6995..69d0fe9931c 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/InsecureChannelProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/InsecureChannelProcessor.java
@@ -24,6 +24,7 @@
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
 /**
@@ -39,7 +40,10 @@
  * The default <code>insecureKeyword</code> is <code>REQUIRES_INSECURE_CHANNEL</code>.
  *
  * @author Ben Alex
+ * @deprecated no replacement is planned, though consider using a custom
+ * {@link RequestMatcher} for any sophisticated decision-making
  */
+@Deprecated
 public class InsecureChannelProcessor implements InitializingBean, ChannelProcessor {
 
 	private ChannelEntryPoint entryPoint = new RetryWithHttpEntryPoint();
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/SecureChannelProcessor.java b/web/src/main/java/org/springframework/security/web/access/channel/SecureChannelProcessor.java
index bc3dd8805dc..60de136c8ab 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/SecureChannelProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/SecureChannelProcessor.java
@@ -24,6 +24,7 @@
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 
 /**
@@ -39,7 +40,10 @@
  * The default <code>secureKeyword</code> is <code>REQUIRES_SECURE_CHANNEL</code>.
  *
  * @author Ben Alex
+ * @deprecated no replacement is planned, though consider using a custom
+ * {@link RequestMatcher} for any sophisticated decision-making
  */
+@Deprecated
 public class SecureChannelProcessor implements InitializingBean, ChannelProcessor {
 
 	private ChannelEntryPoint entryPoint = new RetryWithHttpsEntryPoint();