Spring Security Restore Deprecated ObjectPostProcessor constructors for binary compatibility

Describe the bug

With 6.4.0, especially with this commit: https://github.com/spring-projects/spring-security/commit/ee9a887ae538ceebc01a8fad3685347f2d85f0f6

ObjectPostProcessor is moved to parent folder and current implementation is marked as deprecated. To ensure compatibility, deprecated ObjectPostProcessor is also extends new one.

The AuthenticationManagerBuilder (org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder) has a constructor with new ObjectProcessor as follows:

public AuthenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProcessor) {
  super(objectPostProcessor, true);
}

We have a NoObjectPostProcessor (like identity function in new one, thanks for that),

import c.c.c.Lazy;
import org.springframework.security.config.annotation.ObjectPostProcessor;

public class NoOpObjectPostProcessor<T> implements ObjectPostProcessor<T> {

  private static final Lazy<ObjectPostProcessor> INSTANCE = Lazy.of(NoOpObjectPostProcessor::new);

  public static <T> ObjectPostProcessor<T> getInstance() {
    return (ObjectPostProcessor<T>) INSTANCE.get();
  }

  @Override
  public <O extends T> O postProcess(O object) {
    return object;
  }
}

And using this processor like that:

AuthenticationManagerBuilder builder = new AuthenticationManagerBuilder(NoOpObjectPostProcessor.getInstance());

This usage now throws exception:

Caused by: java.lang.NoSuchMethodError: 'void org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder.<init>(org.springframework.security.config.annotation.ObjectPostProcessor)'
    at x.x.x.x.x.x.build(x.java:23)  --> calls builder constructor
    at a.a.a.a.a.a(a.java:54)
    at java.base/java.lang.reflect.Method.invoke(Method.java:580)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:171)
    ... 48 more

To Reproduce Steps to reproduce the behavior.

Expected behavior In first, I expected that compatibility trick can work because it also gives no error when compiling. It explodes in runtime.

I should resolve problem on my own codebase with some workarounds, but I thought this should be also discussed.

Thanks.

Comment From: ngocnhan-tran1996

With version 6.4.1

I run without error and org.springframework.security.config.annotation.ObjectPostProcessor extends org.springframework.security.config.ObjectPostProcessor

https://github.com/spring-projects/spring-security/blob/59b7b55cf8fe5ed5bf080036c27ddfd71cf21da2/config/src/main/java/org/springframework/security/config/annotation/ObjectPostProcessor.java#L34-L35

Comment From: jzheaux

Hi, @okohub, thanks for the report.

This may be a binary compatibility issue. As such it may be appropriate to reintroduce the deprecated constructors to make the upgrade passive.

I'm targeting a fix for this in the next maintenance release.

Comment From: ngocnhan-tran1996

@jzheaux

May I work on this?

Comment From: jzheaux

@okohub a fix has been pushed and should be available in 6.4.2-SNAPSHOT. Can you please try it out and let me know if your issue is resolved?

Comment From: jzheaux

Superceded by https://github.com/spring-projects/spring-security/pull/16212