Spring Security Add more deprecation metadata as of Spring Security 6 using @Deprecated attributes

Expected Behavior

As Spring Security 6 is now using Java 17, we could provide more deprecation metadata thanks to the @Deprecated annotation, with the since and forRemoval attributes.

Context

Spring FWK 6 or Spring Boot 3 are already using this.

For example in https://github.com/spring-projects/spring-framework/blob/main/spring-core/src/main/java/org/springframework/util/StringUtils.java#L226 :

@Deprecated(since = "6.0")
public static String trimWhitespace(String str) 

Example

@Deprecated(since = "6.0")
public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBuilder<H>> ...

or on methods :

public final class org.springframework.security.config.annotation.web.builders.HttpSecurity 

@Deprecated(since = "6.0", forRemoval = true)
public ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests()

What do you think ?

Comment From: marcusdacoregio

Thanks for the suggestion @ghusta.

We are already using the @Deprecation properties to enhance the notice, see the CookieCsrfTokenRepository.

The suggestion is excellent and I'll talk to the team to keep that in mind, especially when doing code reviews. On the other hand, adding more metadata to existing @Deprecated annotations is a low-priority task and I don't think it has much value since we already provide enough information in the @deprecated tag.

Comment From: ghusta

OK, thank you for the feedback.