Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter

[jzheaux]

Related to #6220

SecurityContextHolderAwareRequestFilter contains a condition which returns a different HttpServletRequestFactory based on whether the application is using Servlet Spec 3 or higher.

To support this, there are two request factories, one for servlet 2.5 called HttpServlet25RequestFactory and another called HttpServlet3RequestFactory.

These exist in order to expose additional features in Servlet 3, and also to return a version-specific implementation of SecurityContextHolderAwareRequestWrapper.

Since Spring Framework 5.x has a baseline of Servlet Spec 3.1, the if condition, and HttpServlet25RequestFactory are no longer necessary and we should remove them.

For now, we shouldn't move Servlet3SecurityContextHolderAwareRequestWrapper's functionality up into SecurityContextHolderAwareRequestWrapper since it is reliant on private state in HttpServlet3RequestFactory.

[dongmyo]

@jzheaux
what about changing HttpServlet3RequestFactory to the default implementation of HttpServletRequestFactory and moving Servlet3SecurityContextHolderAwareRequestWrapper's functionality up into SecurityContextHolderAwareRequestWrapper?

[jzheaux]

Good question, this was my thought originally as well.

But, the reason to not do that yet is that Servlet3SecurityContextHolderAwareRequestWrapper depends on private state in HttpServlet3RequestFactory, like an authenticationEntryPoint. To move the functionality would also mean to move that configuration, which is a bigger task than simply dropping support for Servlet 2.5.

I'm open to a proposal if you have a better way to do that, but I suspect we'll want to do it in a separate task.

[dongmyo]

@jzheaux okay, i totally understand what you mean now.
thank you.