Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter

Fixes: gh-6260

Author: dongmyo

web/src/main/java/org/springframework/security/web/servletapi/HttpServlet25RequestFactory.java

@@ -48,9 +48,8 @@
 import org.springframework.util.CollectionUtils;
 
 /**
- * Provides integration with the Servlet 3 APIs in addition to the ones found in
- * {@link HttpServlet25RequestFactory}. The additional methods that are integrated with
- * can be found below:
+ * Provides integration with the Servlet 3 APIs. The additional methods that are
+ * integrated with can be found below:
  *
  * <ul>
  * <li>{@link HttpServletRequest#authenticate(HttpServletResponse)} - Allows the user to
@@ -71,7 +70,6 @@
  * @author Rob Winch
  *
  * @see SecurityContextHolderAwareRequestFilter
- * @see HttpServlet25RequestFactory
  * @see Servlet3SecurityContextHolderAwareRequestWrapper
  * @see SecurityContextAsyncContext
  */

web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java

@@ -19,13 +19,11 @@
 import javax.servlet.http.HttpServletResponse;
 
 /**
- * Internal interface for creating a {@link HttpServletRequest}. This allows for creating
- * a different implementation for Servlet 2.5 and Servlet 3.0 environments.
+ * Internal interface for creating a {@link HttpServletRequest}.
  *
  * @author Rob Winch
  * @since 3.2
  * @see HttpServlet3RequestFactory
- * @see HttpServlet25RequestFactory
  */
 interface HttpServletRequestFactory {
 

web/src/main/java/org/springframework/security/web/servletapi/HttpServletRequestFactory.java

@@ -35,20 +35,14 @@
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.util.Assert;
-import org.springframework.util.ClassUtils;
 import org.springframework.web.filter.GenericFilterBean;
 
 /**
  * A <code>Filter</code> which populates the <code>ServletRequest</code> with a request
  * wrapper which implements the servlet API security methods.
  * <p>
- * In pre servlet 3 environment the wrapper class used is
- * {@link SecurityContextHolderAwareRequestWrapper}. See its javadoc for the methods that
- * are implemented.
- * </p>
- * <p>
- * In a servlet 3 environment {@link SecurityContextHolderAwareRequestWrapper} is extended
- * to provide the following additional methods:
+ * {@link SecurityContextHolderAwareRequestWrapper} is extended to provide the following
+ * additional methods:
  * </p>
  * <ul>
  * <li>{@link HttpServletRequest#authenticate(HttpServletResponse)} - Allows the user to
@@ -114,8 +108,6 @@ public void setRolePrefix(String rolePrefix) {
 	 * @param authenticationEntryPoint the {@link AuthenticationEntryPoint} to use when
 	 * invoking {@link HttpServletRequest#authenticate(HttpServletResponse)} if the user
 	 * is not authenticated.
-	 *
-	 * @throws IllegalStateException if the Servlet 3 APIs are not found on the classpath
 	 */
 	public void setAuthenticationEntryPoint(
 			AuthenticationEntryPoint authenticationEntryPoint) {
@@ -136,8 +128,6 @@ public void setAuthenticationEntryPoint(
 	 *
 	 * @param authenticationManager the {@link AuthenticationManager} to use when invoking
 	 * {@link HttpServletRequest#login(String, String)}
-	 *
-	 * @throws IllegalStateException if the Servlet 3 APIs are not found on the classpath
 	 */
 	public void setAuthenticationManager(AuthenticationManager authenticationManager) {
 		this.authenticationManager = authenticationManager;
@@ -158,8 +148,6 @@ public void setAuthenticationManager(AuthenticationManager authenticationManager
 	 *
 	 * @param logoutHandlers the {@code List&lt;LogoutHandler&gt;}s when invoking
 	 * {@link HttpServletRequest#logout()}.
-	 *
-	 * @throws IllegalStateException if the Servlet 3 APIs are not found on the classpath
 	 */
 	public void setLogoutHandlers(List<LogoutHandler> logoutHandlers) {
 		this.logoutHandlers = logoutHandlers;
@@ -179,8 +167,7 @@ public void afterPropertiesSet() throws ServletException {
 
 	private void updateFactory() {
 		String rolePrefix = this.rolePrefix;
-		this.requestFactory = isServlet3() ? createServlet3Factory(rolePrefix)
-				: new HttpServlet25RequestFactory(this.trustResolver, rolePrefix);
+		this.requestFactory = createServlet3Factory(rolePrefix);
 	}
 
 	/**
@@ -205,11 +192,4 @@ private HttpServletRequestFactory createServlet3Factory(String rolePrefix) {
 		return factory;
 	}
 
-	/**
-	 * Returns true if the Servlet 3 APIs are detected.
-	 * @return
-	 */
-	private boolean isServlet3() {
-		return ClassUtils.hasMethod(ServletRequest.class, "startAsync");
-	}
 }