Adapt to Servlet API 6 changes and support Jakarta WebSocket 2.1

Closes gh-12146
Closes gh-12148

Author: marcusdacoregio

config/spring-security-config.gradle

@@ -63,6 +63,8 @@ dependencies {
 	testImplementation 'io.rsocket:rsocket-transport-netty'
 	testImplementation 'jakarta.annotation:jakarta.annotation-api'
 	testImplementation 'jakarta.xml.bind:jakarta.xml.bind-api'
+	testImplementation 'jakarta.websocket:jakarta.websocket-api'
+	testImplementation 'jakarta.websocket:jakarta.websocket-client-api'
 	testImplementation 'ldapsdk:ldapsdk:4.1'
 	testImplementation('net.sourceforge.htmlunit:htmlunit') {
 		exclude group: 'commons-logging', module: 'commons-logging'

config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java

@@ -328,9 +328,7 @@ public void whenEnableSessionUrlRewritingTrueThenEncodeNotInvoked() throws Excep
 				HttpServletResponse responseToSpy = spy((HttpServletResponse) response);
 				chain.doFilter(request, responseToSpy);
 				verify(responseToSpy, atLeastOnce()).encodeRedirectURL(any());
-				verify(responseToSpy, atLeastOnce()).encodeRedirectUrl(any());
 				verify(responseToSpy, atLeastOnce()).encodeURL(any());
-				verify(responseToSpy, atLeastOnce()).encodeUrl(any());
 			})
 			.apply(springSecurity())
 			.build();
@@ -348,9 +346,7 @@ public void whenDefaultThenEncodeNotInvoked() throws Exception {
 				HttpServletResponse responseToSpy = spy((HttpServletResponse) response);
 				chain.doFilter(request, responseToSpy);
 				verify(responseToSpy, never()).encodeRedirectURL(any());
-				verify(responseToSpy, never()).encodeRedirectUrl(any());
 				verify(responseToSpy, never()).encodeURL(any());
-				verify(responseToSpy, never()).encodeUrl(any());
 			})
 			.apply(springSecurity())
 			.build();
@@ -807,9 +803,7 @@ static class EncodesUrls {
 		@RequestMapping("/")
 		String encoded(HttpServletResponse response) {
 			response.encodeURL("/foo");
-			response.encodeUrl("/foo");
 			response.encodeRedirectURL("/foo");
-			response.encodeRedirectUrl("/foo");
 			return "encoded";
 		}
 

config/src/test/java/org/springframework/security/config/http/HttpConfigTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -149,16 +149,6 @@ public String encodeRedirectURL(String url) {
 			throw new RuntimeException("Unexpected invocation of encodeURL");
 		}
 
-		@Override
-		public String encodeUrl(String url) {
-			throw new RuntimeException("Unexpected invocation of encodeURL");
-		}
-
-		@Override
-		public String encodeRedirectUrl(String url) {
-			throw new RuntimeException("Unexpected invocation of encodeURL");
-		}
-
 	}
 
 	public static final class MockObservationRegistry implements FactoryBean<ObservationRegistry> {

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

@@ -578,16 +578,12 @@ public void configureWhenUsingDisableUrlRewritingAndCustomRepositoryThenRedirect
 		FilterChainProxy proxy = this.spring.getContext().getBean(FilterChainProxy.class);
 		proxy.doFilter(request, responseToSpy, (req, resp) -> {
 			HttpServletResponse httpResponse = (HttpServletResponse) resp;
-			httpResponse.encodeUrl("/");
 			httpResponse.encodeURL("/");
-			httpResponse.encodeRedirectUrl("/");
 			httpResponse.encodeRedirectURL("/");
 			httpResponse.getWriter().write("encodeRedirect");
 		});
 		verify(responseToSpy, never()).encodeRedirectURL(any());
-		verify(responseToSpy, never()).encodeRedirectUrl(any());
 		verify(responseToSpy, never()).encodeURL(any());
-		verify(responseToSpy, never()).encodeUrl(any());
 		assertThat(responseToSpy.getContentAsString()).isEqualTo("encodeRedirect");
 	}
 
@@ -1028,16 +1024,6 @@ public String encodeRedirectURL(String url) {
 			throw new RuntimeException("Unexpected invocation of encodeURL");
 		}
 
-		@Override
-		public String encodeUrl(String url) {
-			throw new RuntimeException("Unexpected invocation of encodeURL");
-		}
-
-		@Override
-		public String encodeRedirectUrl(String url) {
-			throw new RuntimeException("Unexpected invocation of encodeURL");
-		}
-
 	}
 
 }

config/src/test/java/org/springframework/security/config/http/SessionManagementConfigTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -620,16 +620,6 @@ public String encodeRedirectURL(String url) {
 			throw new RuntimeException("Unexpected invocation of encodeURL");
 		}
 
-		@Override
-		public String encodeUrl(String url) {
-			throw new RuntimeException("Unexpected invocation of encodeURL");
-		}
-
-		@Override
-		public String encodeRedirectUrl(String url) {
-			throw new RuntimeException("Unexpected invocation of encodeURL");
-		}
-
 	}
 
 }

dependencies/spring-security-dependencies.gradle

@@ -29,11 +29,13 @@ dependencies {
 		api "io.micrometer:micrometer-observation:$micrometerVersion"
 		api "jakarta.annotation:jakarta.annotation-api:2.1.1"
 		api "jakarta.inject:jakarta.inject-api:2.0.1"
-		api "jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:2.0.0"
+		api "jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.0"
 		api "jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.1.0"
-		api "jakarta.servlet:jakarta.servlet-api:5.0.0"
-		api "jakarta.xml.bind:jakarta.xml.bind-api:3.0.1"
+		api "jakarta.servlet:jakarta.servlet-api:6.0.0"
+		api "jakarta.xml.bind:jakarta.xml.bind-api:4.0.0"
 		api "jakarta.persistence:jakarta.persistence-api:3.1.0"
+		api "jakarta.websocket:jakarta.websocket-api:2.1.0"
+		api "jakarta.websocket:jakarta.websocket-client-api:2.1.0"
 		api "ldapsdk:ldapsdk:4.1"
 		api "net.sourceforge.htmlunit:htmlunit:2.65.1"
 		api "net.sourceforge.nekohtml:nekohtml:1.9.22"

web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java

@@ -105,14 +105,6 @@ protected void onResponseCommitted() {
 		this.contextSaved = true;
 	}
 
-	@Override
-	public final String encodeRedirectUrl(String url) {
-		if (this.disableUrlRewriting) {
-			return url;
-		}
-		return super.encodeRedirectUrl(url);
-	}
-
 	@Override
 	public final String encodeRedirectURL(String url) {
 		if (this.disableUrlRewriting) {
@@ -121,14 +113,6 @@ public final String encodeRedirectURL(String url) {
 		return super.encodeRedirectURL(url);
 	}
 
-	@Override
-	public final String encodeUrl(String url) {
-		if (this.disableUrlRewriting) {
-			return url;
-		}
-		return super.encodeUrl(url);
-	}
-
 	@Override
 	public final String encodeURL(String url) {
 		if (this.disableUrlRewriting) {

web/src/main/java/org/springframework/security/web/jackson2/CookieDeserializer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2015-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -51,7 +51,8 @@ public Cookie deserialize(JsonParser jp, DeserializationContext ctxt) throws IOE
 		cookie.setSecure(readJsonNode(jsonNode, "secure").asBoolean());
 		cookie.setVersion(readJsonNode(jsonNode, "version").asInt());
 		cookie.setPath(readJsonNode(jsonNode, "path").asText());
-		cookie.setHttpOnly(readJsonNode(jsonNode, "httpOnly").asBoolean());
+		JsonNode attributes = readJsonNode(jsonNode, "attributes");
+		cookie.setHttpOnly(readJsonNode(attributes, "HttpOnly").asBoolean());
 		return cookie;
 	}
 

web/src/main/java/org/springframework/security/web/session/DisableEncodeUrlFilter.java

@@ -61,21 +61,11 @@ private DisableEncodeUrlResponseWrapper(HttpServletResponse response) {
 			super(response);
 		}
 
-		@Override
-		public String encodeRedirectUrl(String url) {
-			return url;
-		}
-
 		@Override
 		public String encodeRedirectURL(String url) {
 			return url;
 		}
 
-		@Override
-		public String encodeUrl(String url) {
-			return url;
-		}
-
 		@Override
 		public String encodeURL(String url) {
 			return url;

web/src/test/java/org/springframework/security/web/authentication/rememberme/AbstractRememberMeServicesTests.java

@@ -362,28 +362,6 @@ public void setCookieSetsIsHttpOnlyFlagByDefault() {
 		assertThat(cookie.isHttpOnly()).isTrue();
 	}
 
-	// SEC-2791
-	@Test
-	public void setCookieMaxAge0VersionSet() {
-		MockRememberMeServices services = new MockRememberMeServices();
-		MockHttpServletRequest request = new MockHttpServletRequest();
-		MockHttpServletResponse response = new MockHttpServletResponse();
-		services.setCookie(new String[] { "value" }, 0, request, response);
-		Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
-		assertThat(cookie.getVersion()).isEqualTo(1);
-	}
-
-	// SEC-2791
-	@Test
-	public void setCookieMaxAgeNegativeVersionSet() {
-		MockRememberMeServices services = new MockRememberMeServices();
-		MockHttpServletRequest request = new MockHttpServletRequest();
-		MockHttpServletResponse response = new MockHttpServletResponse();
-		services.setCookie(new String[] { "value" }, -1, request, response);
-		Cookie cookie = response.getCookie(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
-		assertThat(cookie.getVersion()).isEqualTo(1);
-	}
-
 	// SEC-2791
 	@Test
 	public void setCookieMaxAge1VersionSet() {