Remove unsafe/deprecated Encryptors.querableText(CharSequence,CharSequence)

This method is insecure. Users should instead encrypt with their database.

Closes gh-8980

Author: rwinch

crypto/src/main/java/org/springframework/security/crypto/encrypt/Encryptors.java

@@ -91,23 +91,6 @@ public static TextEncryptor text(CharSequence password, CharSequence salt) {
 		return new HexEncodingTextEncryptor(standard(password, salt));
 	}
 
-	/**
-	 * Creates an encryptor for queryable text strings that uses standard password-based
-	 * encryption. Uses a 16-byte all-zero initialization vector so encrypting the same
-	 * data results in the same encryption result. This is done to allow encrypted data to
-	 * be queried against. Encrypted text is hex-encoded.
-	 * @param password the password used to generate the encryptor's secret key; should
-	 * not be shared
-	 * @param salt a hex-encoded, random, site-global salt value to use to generate the
-	 * secret key
-	 * @deprecated This encryptor is not secure. Instead, look to your data store for a
-	 * mechanism to query encrypted data.
-	 */
-	@Deprecated
-	public static TextEncryptor queryableText(CharSequence password, CharSequence salt) {
-		return new HexEncodingTextEncryptor(new AesBytesEncryptor(password.toString(), salt));
-	}
-
 	/**
 	 * Creates a text encryptor that performs no encryption. Useful for developer testing
 	 * environments where working with plain text strings is desired for simplicity.

crypto/src/test/java/org/springframework/security/crypto/encrypt/EncryptorsTests.java

@@ -66,17 +66,6 @@ public void text() {
 		assertThat(result.equals(encryptor.encrypt("text"))).isFalse();
 	}
 
-	@Test
-	public void queryableText() {
-		CryptoAssumptions.assumeCBCJCE();
-		TextEncryptor encryptor = Encryptors.queryableText("password", "5c0744940b5c369b");
-		String result = encryptor.encrypt("text");
-		assertThat(result).isNotNull();
-		assertThat(result.equals("text")).isFalse();
-		assertThat(encryptor.decrypt(result)).isEqualTo("text");
-		assertThat(result.equals(encryptor.encrypt("text"))).isTrue();
-	}
-
 	@Test
 	public void noOpText() {
 		TextEncryptor encryptor = Encryptors.noOpText();

docs/modules/ROOT/pages/features/integrations/cryptography.adoc

@@ -90,29 +90,6 @@ Encryptors.text("password", "salt")
 A `TextEncryptor` uses a standard `BytesEncryptor` to encrypt text data.
 Encrypted results are returned as hex-encoded strings for easy storage on the filesystem or in a database.
 
-You can use the `Encryptors.queryableText` factory method to construct a "`queryable`" `TextEncryptor`:
-
-.Queryable TextEncryptor
-====
-.Java
-[source,java,role="primary"]
-----
-Encryptors.queryableText("password", "salt");
-----
-
-.Kotlin
-[source,kotlin,role="secondary"]
-----
-Encryptors.queryableText("password", "salt")
-----
-====
-
-The difference between a queryable `TextEncryptor` and a standard `TextEncryptor` has to do with initialization vector (IV) handling.
-The IV used in a queryable `TextEncryptor.encrypt` operation is shared, or constant, and is not randomly generated.
-This means the same text encrypted multiple times always produces the same encryption result.
-This is less secure but necessary for encrypted data that needs to be queried against.
-An example of queryable encrypted text would be an OAuth `apiKey`.
-
 [[spring-security-crypto-keygenerators]]
 == Key Generators
 The {security-api-url}org/springframework/security/crypto/keygen/KeyGenerators.html[`KeyGenerators`] class provides a number of convenience factory methods for constructing different types of key generators.

docs/modules/ROOT/pages/whats-new.adoc

@@ -3,3 +3,8 @@
 
 Spring Security 6.0 provides a number of new features.
 Below are the highlights of the release.
+
+== Breaking Changes
+
+* https://github.com/spring-projects/spring-security/issues/8980[gh-8980] - Remove unsafe/deprecated `Encryptors.querableText(CharSequence,CharSequence)`.
+Instead use data storage to encrypt values.