With the introduction of AuthorizationManager, it should be possible to deprecate WebInvocationPrivilegeEvaluator.
The steps are as follows:
- [ ] Expose an Authorization Manager that can accept request elements
- [ ] Update JSP taglib support to use AuthorizationManager
- [ ] Deprecate WebInvocationPrivilegeEvaluator and implementations
Note that the default WebInvocationPrivilegeEvaluator implementation also allows for setting a HttpServletRequestTransformer; however this need not be ported as it exists largely to facilitate coordination with HandlerMappingIntrospector, which is also being deprecated.
Comment From: rwinch
After further investigation this is not as urgent to get into Spring Security 7. Eventually we will move users to something like AuthorizationManager<Route>, but WebInvocationPrivegeEvaluator should be able to delegate to this. For that reason, this issue is not going to be addressed until after Spring Security 7