Remove deprecated elements using AuthorizationDecision

config/src/main/java/org/springframework/security/config/method/PointcutDelegatingAuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,19 +36,6 @@ class PointcutDelegatingAuthorizationManager implements AuthorizationManager<Met
 		this.managers = managers;
 	}
 
-	@Override
-	public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation object) {
-		AuthorizationResult result = authorize(authentication, object);
-		if (result == null) {
-			return null;
-		}
-		if (result instanceof AuthorizationDecision decision) {
-			return decision;
-		}
-		throw new IllegalArgumentException(
-				"Please either call authorize or ensure that the returned result is of type AuthorizationDecision");
-	}
-
 	@Override
 	public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation object) {
 		for (Map.Entry<Pointcut, AuthorizationManager<MethodInvocation>> entry : this.managers.entrySet()) {

config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,6 +53,7 @@
 import org.springframework.security.access.vote.ConsensusBased;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.config.Elements;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
@@ -463,7 +464,7 @@ private ExpressionBasedAuthorizationManager(
 		}
 
 		@Override
-		public AuthorizationDecision check(Supplier<Authentication> authentication,
+		public AuthorizationResult authorize(Supplier<Authentication> authentication,
 				MessageAuthorizationContext<?> object) {
 			EvaluationContext context = this.expressionHandler.createEvaluationContext(authentication, object);
 			boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, context);

config/src/test/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfigurationTests.java

@@ -93,7 +93,6 @@
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
-import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
 import org.springframework.security.authorization.event.AuthorizationDeniedEvent;
 import org.springframework.security.authorization.method.AuthorizationAdvisor;
@@ -143,7 +142,6 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.atLeastOnce;
 import static org.mockito.Mockito.clearInvocations;
-import static org.mockito.Mockito.doCallRealMethod;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.spy;
@@ -1555,8 +1553,6 @@ static class AuthorizationEventPublisherConfig {
 
 		@Bean
 		AuthorizationEventPublisher authorizationEventPublisher() {
-			doCallRealMethod().when(this.publisher)
-				.publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class));
 			return this.publisher;
 		}
 

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurerTests.java

@@ -44,7 +44,6 @@
 import org.springframework.security.authorization.AuthorizationEventPublisher;
 import org.springframework.security.authorization.AuthorizationManager;
 import org.springframework.security.authorization.AuthorizationObservationContext;
-import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
 import org.springframework.security.authorization.event.AuthorizationDeniedEvent;
 import org.springframework.security.config.ObjectPostProcessor;
@@ -85,10 +84,8 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
-import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.atLeastOnce;
-import static org.mockito.Mockito.doCallRealMethod;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
@@ -154,20 +151,17 @@ public void configureWhenMvcMatcherAfterAnyRequestThenException() {
 	@Test
 	public void configureMvcMatcherAccessAuthorizationManagerWhenNotNullThenVerifyUse() throws Exception {
 		CustomAuthorizationManagerConfig.authorizationManager = mock(AuthorizationManager.class);
-		given(CustomAuthorizationManagerConfig.authorizationManager.authorize(any(), any())).willCallRealMethod();
 		this.spring.register(CustomAuthorizationManagerConfig.class, BasicController.class).autowire();
 		this.mvc.perform(get("/")).andExpect(status().isOk());
-		verify(CustomAuthorizationManagerConfig.authorizationManager).check(any(), any());
+		verify(CustomAuthorizationManagerConfig.authorizationManager).authorize(any(), any());
 	}
 
 	@Test
 	public void configureNoParameterMvcMatcherAccessAuthorizationManagerWhenNotNullThenVerifyUse() throws Exception {
 		CustomAuthorizationManagerNoParameterConfig.authorizationManager = mock(AuthorizationManager.class);
-		given(CustomAuthorizationManagerNoParameterConfig.authorizationManager.authorize(any(), any()))
-			.willCallRealMethod();
 		this.spring.register(CustomAuthorizationManagerNoParameterConfig.class, BasicController.class).autowire();
 		this.mvc.perform(get("/")).andExpect(status().isOk());
-		verify(CustomAuthorizationManagerNoParameterConfig.authorizationManager).check(any(), any());
+		verify(CustomAuthorizationManagerNoParameterConfig.authorizationManager).authorize(any(), any());
 	}
 
 	@Test
@@ -1284,8 +1278,6 @@ static class AuthorizationEventPublisherConfig {
 
 		@Bean
 		AuthorizationEventPublisher authorizationEventPublisher() {
-			doCallRealMethod().when(this.publisher)
-				.publishAuthorizationEvent(any(), any(), any(AuthorizationResult.class));
 			return this.publisher;
 		}
 

config/src/test/java/org/springframework/security/config/http/DefaultFilterChainValidatorTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -124,8 +124,7 @@ public void validateCheckLoginPageIsntProtectedThrowsIllegalArgumentException()
 
 	@Test
 	public void validateCheckLoginPageAllowsAnonymous() {
-		given(this.authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
-		given(this.authorizationManager.authorize(any(), any())).willCallRealMethod();
+		given(this.authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false));
 		this.validator.validate(this.chainAuthorizationFilter);
 		verify(this.logger).warn("Anonymous access to the login page doesn't appear to be enabled. "
 				+ "This is almost certainly an error. Please check your configuration allows unauthenticated "

config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -90,14 +90,13 @@ public void getWhenUsingAuthorizationManagerThenRedirectsToLogin() throws Except
 		this.spring.configLocations(this.xml("AuthorizationManager")).autowire();
 		AuthorizationManager<HttpServletRequest> authorizationManager = this.spring.getContext()
 			.getBean(AuthorizationManager.class);
-		given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
-		given(authorizationManager.authorize(any(), any())).willCallRealMethod();
+		given(authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false));
 		// @formatter:off
 		this.mvc.perform(get("/"))
 				.andExpect(status().isFound())
 				.andExpect(redirectedUrl("http://localhost/login"));
 		// @formatter:on
-		verify(authorizationManager).check(any(), any());
+		verify(authorizationManager).authorize(any(), any());
 	}
 
 	@Test

config/src/test/java/org/springframework/security/config/method/InterceptMethodsBeanDefinitionDecoratorTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -168,10 +168,9 @@ public void transactionalAuthorizationManagerMethodsShouldBeSecured() {
 
 	@Test
 	public void targetCustomAuthorizationManagerUsed() {
-		given(this.mockAuthorizationManager.authorize(any(), any())).willCallRealMethod();
-		given(this.mockAuthorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
+		given(this.mockAuthorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(true));
 		this.targetCustomAuthorizationManager.doSomething();
-		verify(this.mockAuthorizationManager).check(any(), any());
+		verify(this.mockAuthorizationManager).authorize(any(), any());
 	}
 
 	@Override

config/src/test/java/org/springframework/security/config/method/MethodSecurityBeanDefinitionParserTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,6 +39,7 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.config.annotation.method.configuration.MethodSecurityService;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
@@ -463,7 +464,7 @@ public boolean hasPermission(Authentication authentication, Serializable targetI
 	static class MyAuthorizationManager implements AuthorizationManager<MethodInvocation> {
 
 		@Override
-		public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation object) {
+		public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation object) {
 			return new AuthorizationDecision("bob".equals(authentication.get().getName()));
 		}
 

config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -513,12 +513,11 @@ public void sendWhenCustomAuthorizationManagerThenAuthorizesAccordingly() {
 		this.spring.configLocations(xml("CustomAuthorizationManagerConfig")).autowire();
 		AuthorizationManager<Message<?>> authorizationManager = this.spring.getContext()
 			.getBean(AuthorizationManager.class);
-		given(authorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(false));
-		given(authorizationManager.authorize(any(), any())).willCallRealMethod();
+		given(authorizationManager.authorize(any(), any())).willReturn(new AuthorizationDecision(false));
 		Message<?> message = message("/any");
 		assertThatExceptionOfType(Exception.class).isThrownBy(send(message))
 			.withCauseInstanceOf(AccessDeniedException.class);
-		verify(authorizationManager).check(any(), any());
+		verify(authorizationManager).authorize(any(), any());
 	}
 
 	private String xml(String configName) {

core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -111,7 +111,7 @@ public static <T> AuthenticatedAuthorizationManager<T> anonymous() {
 	 * @return an {@link AuthorizationDecision}
 	 */
 	@Override
-	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
+	public AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
 		boolean granted = this.authorizationStrategy.isGranted(authentication.get());
 		return new AuthorizationDecision(granted);
 	}

core/src/main/java/org/springframework/security/authorization/AuthenticatedReactiveAuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,13 +39,13 @@ public class AuthenticatedReactiveAuthorizationManager<T> implements ReactiveAut
 	}
 
 	@Override
-	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
+	public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object) {
 		return authentication.filter(this::isNotAnonymous)
 			.map(this::getAuthorizationDecision)
 			.defaultIfEmpty(new AuthorizationDecision(false));
 	}
 
-	private AuthorizationDecision getAuthorizationDecision(Authentication authentication) {
+	private AuthorizationResult getAuthorizationDecision(Authentication authentication) {
 		return new AuthorizationDecision(authentication.isAuthenticated());
 	}
 

core/src/main/java/org/springframework/security/authorization/AuthoritiesAuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -55,8 +55,7 @@ public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
 	 * @return an {@link AuthorityAuthorizationDecision}
 	 */
 	@Override
-	public AuthorityAuthorizationDecision check(Supplier<Authentication> authentication,
-			Collection<String> authorities) {
+	public AuthorizationResult authorize(Supplier<Authentication> authentication, Collection<String> authorities) {
 		boolean granted = isGranted(authentication.get(), authorities);
 		return new AuthorityAuthorizationDecision(granted, AuthorityUtils.createAuthorityList(authorities));
 	}

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -134,17 +134,11 @@ private static String[] toNamedRolesArray(String rolePrefix, String[] roles) {
 	}
 
 	/**
-	 * Determines if the current user is authorized by evaluating if the
-	 * {@link Authentication} contains a specified authority.
-	 * @param authentication the {@link Supplier} of the {@link Authentication} to check
-	 * @param object the {@link T} object to check
-	 * @return an {@link AuthorizationDecision}
-	 * @deprecated please use {@link #authorize(Supplier, Object)} instead
+	 * {@inheritDoc}
 	 */
-	@Deprecated
 	@Override
-	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
-		return this.delegate.check(authentication, this.authorities);
+	public AuthorizationResult authorize(Supplier<Authentication> authentication, T object) {
+		return this.delegate.authorize(authentication, this.authorities);
 	}
 
 	@Override

core/src/main/java/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,13 +43,13 @@ public class AuthorityReactiveAuthorizationManager<T> implements ReactiveAuthori
 	}
 
 	@Override
-	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
+	public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object) {
 		// @formatter:off
 		return authentication.filter(Authentication::isAuthenticated)
 				.flatMapIterable(Authentication::getAuthorities)
 				.map(GrantedAuthority::getAuthority)
 				.any((grantedAuthority) -> this.authorities.stream().anyMatch((authority) -> authority.getAuthority().equals(grantedAuthority)))
-				.map((granted) -> ((AuthorizationDecision) new AuthorityAuthorizationDecision(granted, this.authorities)))
+				.map((granted) -> ((AuthorizationResult) new AuthorityAuthorizationDecision(granted, this.authorities)))
 				.defaultIfEmpty(new AuthorityAuthorizationDecision(false, this.authorities));
 		// @formatter:on
 	}

core/src/main/java/org/springframework/security/authorization/AuthorizationEventPublisher.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,23 +33,6 @@
 @FunctionalInterface
 public interface AuthorizationEventPublisher {
 
-	/**
-	 * Publish the given details in the form of an event, typically
-	 * {@link AuthorizationGrantedEvent} or {@link AuthorizationDeniedEvent}.
-	 *
-	 * Note that success events can be very noisy if enabled by default. Because of this
-	 * implementations may choose to drop success events by default.
-	 * @param authentication a {@link Supplier} for the current user
-	 * @param object the secured object
-	 * @param decision the decision about whether the user may access the secured object
-	 * @param <T> the secured object's type
-	 * @deprecated use
-	 * {@link #publishAuthorizationEvent(Supplier, Object, AuthorizationResult)} instead
-	 */
-	@Deprecated
-	<T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
-			AuthorizationDecision decision);
-
 	/**
 	 * Publish the given details in the form of an event, typically
 	 * {@link AuthorizationGrantedEvent} or {@link AuthorizationDeniedEvent}.
@@ -63,17 +46,6 @@ <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T ob
 	 * @param <T> the secured object's type
 	 * @since 6.4
 	 */
-	default <T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object,
-			AuthorizationResult result) {
-		if (result == null) {
-			publishAuthorizationEvent(authentication, object, null);
-			return;
-		}
-		if (result instanceof AuthorizationDecision decision) {
-			publishAuthorizationEvent(authentication, object, decision);
-			return;
-		}
-		throw new UnsupportedOperationException("result must be of type AuthorizationDecision");
-	}
+	<T> void publishAuthorizationEvent(Supplier<Authentication> authentication, T object, AuthorizationResult result);
 
 }