Deprecated API
Contents
-
Deprecated Packages
-
Deprecated InterfacesInterfaceDescriptionUse
AuthorizationManagerinsteadUseAuthorizationManagerinsteadUse delegation withAuthorizationManagerUsed only by now-deprecated classes. ConsiderSecuredAuthorizationManagerfor `@Secured` methods.Use delegation withAuthorizationManagerThis class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Use theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUse delegation withAuthorizationManageras of 5.6.0 with no replacementUseMessageMatcherDelegatingAuthorizationManagerinsteadUseOAuth2TokenIntrospectionClaimAccessorinsteadUseOAuth2TokenIntrospectionClaimNamesinsteadThe OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.as of 5.6.0 with no replacementas of 5.6.0 with no replacementorg.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactoryAs of 5.7.0, useSaml2AuthenticationRequestResolverinsteadUseSaml2ErrorCodesinsteadUseSaml2AuthenticationRequestResolverinsteadALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
-
Deprecated ClassesClassDescriptionUse
Jsr250AuthorizationManagerinsteadUseJsr250AuthorizationManagerinsteadAuthorization events have moved. ConsiderAuthorizationGrantedEventandAuthorizationDeniedEventAuthentication is now separated from authorization. ConsiderAbstractAuthenticationFailureEventinstead.UseAuthorizationDeniedEventinsteadUseAuthorizationGrantedEventinsteadLogging is now embedded in Spring Security components. If you need further logging, please consider using your ownApplicationListenerOnly used by now-deprecated classes. ConsiderEventObject.getSource()to deduce public invocations.UseAuthorizationManagerinterceptors insteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationFilterinstead for filter security,AuthorizationChannelInterceptorfor messaging security, orAuthorizationManagerBeforeMethodInterceptorandAuthorizationManagerAfterMethodInterceptorfor method security.Use delegation withAuthorizationManagerPlease useAuthorizationManagerBeforeMethodInterceptorandAuthorizationManagerAfterMethodInterceptorinsteadUseEnableMethodSecurityor publish interceptors directlyThis class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.This class will be removed from the public API. See `JoinPointMethodInvocation` in `spring-security-aspects` for its replacementUse delegation withAuthorizationManagerUseAuthorizationManagerinsteadAuthentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Use theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUsePreAuthorizeAuthorizationManagerandPostAuthorizeAuthorizationManagerinsteadUseAuthorizationManagerinsteadNow used by only-deprecated classes. Generally speaking, in-memory ACL is no longer advised, so no replacement is planned at this point.UseAuthorizationManagerinsteadUseAuthorityAuthorizationManagerinsteadUseAuthorizationManagerinsteadUseAuthorityAuthorizationManagerinsteadUseAuthorizationManagerinsteadsince 5.6. In favor of JCache based implementationsas of 5.6.0 with no replacementas of 5.6.0 with no replacementUseExpressionAuthorizationDecisioninsteadsince 5.6. In favor of JCache based implementationsUsePrePostMethodSecurityConfiguration,SecuredMethodSecurityConfiguration, orJsr250MethodSecurityConfigurationinsteaduseMvcRequestMatcher.BuilderinsteadUse aSecurityFilterChainBean to configureHttpSecurityor aWebSecurityCustomizerBean to configureWebSecurity.@Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authz) -> authz.anyRequest().authenticated() ); // ... return http.build(); } @Bean public WebSecurityCustomizer webSecurityCustomizer() { return (web) -> web.ignoring().antMatchers("/resources/**"); }See the Spring Security without WebSecurityConfigurerAdapter for more details.UseAuthorizeHttpRequestsConfigurerinsteaduseMvcRequestMatcher.BuilderinsteadUseAuthorizeHttpRequestsConfigurerinsteadsee Certificate and Public Key Pinning for more contextorg.springframework.security.config.annotation.web.configurers.oauth2.client.ImplicitGrantConfigurerIt is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client. See reference OAuth 2.0 Implicit Grant.The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.UseAuthorizeHttpRequestsConfigurerinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadorg.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfigurationThis is applied internally using SpringWebMvcImportSelectorUseEnableWebSocketSecurityinsteadUse `use-authorization-manager` property insteadUseMethodSecurityBeanDefinitionParserinsteadUse<intercept-methods>,<method-security>, or@EnableMethodSecuritysince 5.6. In favor of JCache based implementationsUse java.util.Base64Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.UseUnboundIdContainerinstead because ApacheDS 1.x is no longer supported with no GA version to replace it.UseMessageMatcherDelegatingAuthorizationManagerinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadUseAuthorizationChannelInterceptorinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadThe latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.It is recommended to use a delegation-based strategy of anOAuth2UserServiceto support customOAuth2Usertypes, as it provides much greater flexibility compared to this implementation. See the reference manual for details on how to implement.UseDefaultMapOAuth2AccessTokenResponseConverterinsteadUseDefaultOAuth2AccessTokenResponseMapConverterinsteadUseNimbusJwtDecoderorJwtDecodersinsteadPlease useBearerTokenAuthenticationTokenUseBearerTokenAuthenticationFilterinsteadThe OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.as of 5.6.0 with no replacementas of 5.6.0 with no replacementas of 5.6.0 with no replacementas of 5.6.0 with no replacementBasic Authentication did not evolve into a standard. Use Simple Authentication instead.Basic Authentication did not evolve into a standard. useSimpleAuthenticationEncoderUseSaml2X509Credentialinsteadorg.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContextUseSaml2AuthenticationRequestResolverinsteadUseSaml2ErrorinsteadUseRelyingPartyRegistration.AssertingPartyDetailsinsteadUseSaml2WebSsoAuthenticationFilterinsteadUseSaml2WebSsoAuthenticationRequestFilterinsteadUseSaml2AuthenticationRequestResolverinsteadUseWebExpressionAuthorizationManagerinsteadUseAuthorizationFilterinsteadUseAuthenticationPrincipalArgumentResolverinstead.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.see Certificate and Public Key Pinning for more contextuseServerFormLoginAuthenticationConverterinstead.UseServerHttpBasicAuthenticationConverterinstead.
-
Deprecated Enum ClassesEnum ClassDescriptionThe OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by
spring-security-oauth2.UseSaml2X509Credential.Saml2X509CredentialTypeinstead
-
Deprecated ExceptionsExceptionsDescriptionas of 5.6.0 with no replacementThe OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by
spring-security-oauth2.The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.as of 5.6.0 with no replacementas of 5.6.0 with no replacement
-
Deprecated Annotation InterfacesAnnotation InterfaceDescriptionuse @{code org.springframework.security.core.parameters.P}Use
EnableMethodSecurityinsteadUse EnableWebSecurity instead which will automatically add the Spring MVC related Security items.UseAuthenticationPrincipalinstead.
-
Deprecated FieldsFieldDescriptionsince 5.4 in favor of
AbstractMessageMatcherComposite.loggerThe latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.This field should no longer be usedThis field should no longer be useduseOAuth2TokenIntrospectionClaimNames.AUDinsteaduseOAuth2TokenIntrospectionClaimNames.EXPinsteaduseOAuth2TokenIntrospectionClaimNames.IATinsteaduseOAuth2TokenIntrospectionClaimNames.ISSinsteaduseOAuth2TokenIntrospectionClaimNames.NBFinsteaduseOAuth2TokenIntrospectionClaimNames.SUBinsteadBasic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
-
Deprecated MethodsMethodDescriptionuse
HttpSecurity.securityMatcher(String...)insteadUseHttpSecurity.authorizeHttpRequests()insteadUseHttpSecurity.authorizeHttpRequests()insteaduseHttpSecurity.securityMatcher(String...)insteadThe OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported byspring-security-oauth2.useHttpSecurity.securityMatcher(RequestMatcher)with aRegexRequestMatcherinsteaduseHttpSecurity.securityMatcher(RequestMatcher)insteaduseHttpSecurity.securityMatchers()insteaduseHttpSecurity.securityMatchers(Customizer)insteaduseCsrfConfigurer.ignoringRequestMatchers(RequestMatcher...)with anAntPathRequestMatcherinsteadUseHeadersConfigurer.permissionsPolicy(Customizer)instead.see Certificate and Public Key Pinning for more contextsee Certificate and Public Key Pinning for more contextSeeCustomUserTypesOAuth2UserServicefor alternative usage.Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.This encryptor is not secure. Instead, look to your data store for a mechanism to query encrypted data.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.UseClientRegistration.Builder.redirectUri(String)insteadUseClientRegistration.getRedirectUri()insteadUseOAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager)instead. Create an instance ofClientCredentialsOAuth2AuthorizedClientProviderconfigured with aDefaultClientCredentialsTokenResponseClient(or a custom one) and than supply it toDefaultOAuth2AuthorizedClientManager.TheaccessTokenExpiresSkewshould be configured with the specificReactiveOAuth2AuthorizedClientProviderimplementation, e.g.ClientCredentialsReactiveOAuth2AuthorizedClientProviderorRefreshTokenReactiveOAuth2AuthorizedClientProvider.UseServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)instead. Create an instance ofClientCredentialsReactiveOAuth2AuthorizedClientProviderconfigured with aWebClientReactiveClientCredentialsTokenResponseClient(or a custom one) and than supply it toDefaultReactiveOAuth2AuthorizedClientManager.TheaccessTokenExpiresSkewshould be configured with the specificOAuth2AuthorizedClientProviderimplementation, e.g.ClientCredentialsOAuth2AuthorizedClientProviderorRefreshTokenOAuth2AuthorizedClientProvider.UseServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)instead. Create an instance ofClientCredentialsOAuth2AuthorizedClientProviderconfigured with aDefaultClientCredentialsTokenResponseClient(or a custom one) and than supply it toDefaultOAuth2AuthorizedClientManager.UseClaimAccessor.hasClaim(java.lang.String)instead.It is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.Since 5.2. Use your own custom converter insteadSince 5.6. UseOAuth2TokenIntrospectionClaimAccessor.getScopes()insteadUseSaml2AuthenticationException.getSaml2Error()insteadplease useSaml2AuthenticationRequestFactory.createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext)orSaml2AuthenticationRequestFactory.createPostAuthenticationRequest(Saml2AuthenticationRequestContext)This method will be removed in future versions of Spring SecurityUsegetRelyingPartyRegistration().getAssertingPartyDetails().getEntityId()insteadUsegetRelyingPartyRegistration().getEntityId()insteadUsegetRelyingPartyRegistration().getAssertionConsumerServiceLocation()insteadGet the credentials throughSaml2AuthenticationToken.getRelyingPartyRegistration()insteadUseRelyingPartyRegistration.Builder.assertionConsumerServiceLocationinstead.UseRelyingPartyRegistration.Builder.signingX509CredentialsorRelyingPartyRegistration.Builder.decryptionX509Credentialsinstead for relying party keys orRelyingPartyRegistration.AssertingPartyDetails.Builder.verificationX509CredentialsorRelyingPartyRegistration.AssertingPartyDetails.Builder.encryptionX509Credentialsfor asserting party keysuse#assertingPartyDetails(Consumer<AssertingPartyDetails.Builder >)UseRelyingPartyRegistration.Builder.entityIdinsteaduse#assertingPartyDetails(Consumer<AssertingPartyDetails.Builder >)Instead of retrieving all credentials, use the appropriate method for obtaining the correct typeUseRelyingPartyRegistration.getEntityId()insteadUse {code #getAssertingPartyDetails().getSigningX509Credentials()} insteaduse the constructor insteadConfigure the request matcher in an implementation ofSaml2AuthenticationRequestResolverinsteadUseStrictHttpFirewall.getEncodedUrlBlocklist()insteadAs of 5.1 in favor ofAuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)This class no longer retrieves error messages from a MessageSource
-
Deprecated ConstructorsConstructorDescriptionUse
Builder(RelyingPartyRegistration)insteadUseSaml2Errorconstructor insteadUseSaml2Errorconstructor insteadUseSaml2Errorconstructor insteadUseSaml2Errorconstructor insteaduse the constructor that takes aSaml2AuthenticationRequestFactoryALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
-
Deprecated Enum ConstantsEnum ConstantDescriptionALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.