Luke Taylor (Migrated from SEC-1538) said:
I don't believe we need PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails and PreAuthenticatedGrantedAuthoritiesAuthenticationDetails. If they are used at all it is a minority of situations where a custom implementation should be used. Pre-authentication is part of the web module and assumes a dependency on the servlet API, so these extra implementations seem largely redundant.
Luke Taylor said:
Most of the non-web classes seem to be there only to prop-up the WebSphere2SpringSecurityPropagationInterceptor class (which has somehow slipped into the web module). Rather than remove this immediately, I've deprecated it, along with the supporting classes. Setting up a security context for use by a bean shouldn't be something that is only available for websphere and it has wider applicability (for example setting up the invocation of an external service with a particular set of credentials). There is also an overlap with the concept of a "run-as" user.
See SEC-1539 for planned replacement of WebSphere2SpringSecurityPropagationInterceptor.
This issue is related to #1781