Add lambda DSL method for featurePolicy

Closes: gh-17321
Signed-off-by: Andrey Litvitski <[email protected]>

Author: therepanic

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -75,6 +75,7 @@
  * @author Vedran Pavic
  * @author Ankur Pathak
  * @author Daniel Garnier-Moiroux
+ * @author Andrey Litvitski
  * @since 3.2
  */
 public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
@@ -355,19 +356,40 @@ public HeadersConfigurer<H> referrerPolicy(Customizer<ReferrerPolicyConfig> refe
 	 * @return the {@link FeaturePolicyConfig} for additional configuration
 	 * @throws IllegalArgumentException if policyDirectives is {@code null} or empty
 	 * @since 5.1
-	 * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)} or
-	 * {@code permissionsPolicy(Customizer.withDefaults())} to stick with defaults. See
-	 * the <a href=
-	 * "https://docs.spring.io/spring-security/reference/migration-7/configuration.html#_use_the_lambda_dsl">documentation</a>
-	 * for more details.
 	 * @see ObjectPostProcessorConfiguration FeaturePolicyHeaderWriter
 	 */
-	@Deprecated
 	public FeaturePolicyConfig featurePolicy(String policyDirectives) {
 		this.featurePolicy.writer = new FeaturePolicyHeaderWriter(policyDirectives);
 		return this.featurePolicy;
 	}
 
+	/**
+	 * Allows configuration for <a href="https://wicg.github.io/feature-policy/">Feature
+	 * Policy</a> using the lambda-based DSL.
+	 * <p>
+	 * Calling this method automatically enables (includes) the {@code Feature-Policy}
+	 * header in the response using the supplied policy directive(s).
+	 * <p>
+	 * Configuration is provided to the {@link FeaturePolicyHeaderWriter}, which is
+	 * responsible for writing the header.
+	 * <p>
+	 * Even though the Feature-Policy header has been deprecated in favor of the
+	 * Permissions-Policy header, many browsers still support Feature-Policy. As such,
+	 * this method allows applications to continue using Feature-Policy when necessary.
+	 * @param featurePolicyCustomizer the {@link Customizer} to provide feature policy
+	 * configuration
+	 * @return the {@link HeadersConfigurer} for additional configuration
+	 * @since 6.5
+	 * @see FeaturePolicyHeaderWriter
+	 * @see <a href="https://wicg.github.io/feature-policy/">Feature Policy
+	 * specification</a>
+	 */
+	public HeadersConfigurer<H> featurePolicy(Customizer<FeaturePolicyConfig> featurePolicyCustomizer) {
+		this.featurePolicy.writer = new FeaturePolicyHeaderWriter();
+		featurePolicyCustomizer.customize(this.featurePolicy);
+		return this;
+	}
+
 	/**
 	 * Allows configuration for
 	 * <a href="https://w3c.github.io/webappsec-permissions-policy/"> Permissions
@@ -990,6 +1012,17 @@ public final class FeaturePolicyConfig {
 		private FeaturePolicyConfig() {
 		}
 
+		/**
+		 * Sets the policy directives to be used in the response header.
+		 * @param policyDirectives a permissions policy directives
+		 * @return the {@link FeaturePolicyConfig} for additional configuration
+		 * @throws IllegalArgumentException if policy is null
+		 */
+		public FeaturePolicyConfig policyDirectives(String policyDirectives) {
+			this.writer.setPolicyDirectives(policyDirectives);
+			return this;
+		}
+
 		/**
 		 * Allows completing configuration of Feature Policy and continuing configuration
 		 * of headers.

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -297,6 +297,7 @@
  * @author Ankur Pathak
  * @author Alexey Nesterov
  * @author Yanming Zhou
+ * @author Andrey Litvitski
  * @since 5.0
  */
 public class ServerHttpSecurity {
@@ -2584,14 +2585,22 @@ public HeaderSpec contentSecurityPolicy(Customizer<ContentSecurityPolicySpec> co
 		 * Configures {@code Feature-Policy} response header.
 		 * @param policyDirectives the policy
 		 * @return the {@link FeaturePolicySpec} to configure
-		 * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)}
-		 * instead.
 		 */
-		@Deprecated
 		public FeaturePolicySpec featurePolicy(String policyDirectives) {
 			return new FeaturePolicySpec(policyDirectives);
 		}
 
+		/**
+		 * Configures {@code Feature-Policy} response header.
+		 * @param featurePolicyCustomizer the {@link Customizer} to provide more options
+		 * for the {@link FeaturePolicySpec}
+		 * @return the {@link HeaderSpec} to customize
+		 */
+		public HeaderSpec featurePolicy(Customizer<FeaturePolicySpec> featurePolicyCustomizer) {
+			featurePolicyCustomizer.customize(new FeaturePolicySpec());
+			return this;
+		}
+
 		/**
 		 * Configures {@code Permissions-Policy} response header.
 		 * @param permissionsPolicyCustomizer the {@link Customizer} to provide more
@@ -2872,6 +2881,9 @@ private ContentSecurityPolicySpec(String policyDirectives) {
 		 */
 		public final class FeaturePolicySpec {
 
+			private FeaturePolicySpec() {
+			}
+
 			private FeaturePolicySpec(String policyDirectives) {
 				HeaderSpec.this.featurePolicy.setPolicyDirectives(policyDirectives);
 			}

config/src/main/kotlin/org/springframework/security/config/annotation/web/HeadersDsl.kt

@@ -166,7 +166,6 @@ class HeadersDsl {
      *
      * @param policyDirectives policyDirectives the security policy directive(s)
      */
-    @Deprecated("Use 'permissionsPolicy { }' instead.")
     fun featurePolicy(policyDirectives: String) {
         this.featurePolicyDirectives = policyDirectives
     }

web/src/main/java/org/springframework/security/web/header/writers/FeaturePolicyHeaderWriter.java

@@ -42,6 +42,12 @@ public final class FeaturePolicyHeaderWriter implements HeaderWriter {
 
 	private String policyDirectives;
 
+	/**
+	 * Create a new instance of {@link FeaturePolicyHeaderWriter}
+	 */
+	public FeaturePolicyHeaderWriter() {
+	}
+
 	/**
 	 * Create a new instance of {@link FeaturePolicyHeaderWriter} with supplied security
 	 * policy directive(s).