Deprecated API

Contents

• Deprecated Interfaces
• Deprecated Classes
• Deprecated Fields
• Deprecated Methods
• Deprecated Constructors

Deprecated Interfaces

Interface and Description
org.springframework.security.core.authority.MutableGrantedAuthoritiesContainer
org.springframework.security.authentication.encoding.PasswordEncoder It is recommended to use PasswordEncoder instead which better accommodates best practice of randomly generated salt that is included with the password.
org.springframework.security.web.util.RequestMatcher use RequestMatcher
org.springframework.security.core.session.SessionIdentifierAware Legacy of former concurrency control implementation. Will be removed in a future version.
org.springframework.security.web.access.expression.WebSecurityExpressionHandler

Deprecated Classes

Class and Description
org.springframework.security.web.util.AntPathRequestMatcher use AntPathRequestMatcher
org.springframework.security.web.util.AnyRequestMatcher use org.springframework.security.web.util.matcher.AnyRequestMatcher.INSTANCE instead
org.springframework.security.authentication.AuthenticationDetails
org.springframework.security.authentication.AuthenticationDetailsSourceImpl Write an implementation of AuthenticationDetailsSource which returns the desired type directly.
org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy Use ConcurrentSessionControlAuthenticationStrategy instead
org.springframework.security.access.ConfigAttributeEditor
org.springframework.security.web.util.ELRequestMatcher Use org.springframework.security.web.util.matcher.ELRequestMatcher
org.springframework.security.core.authority.GrantedAuthoritiesContainerImpl
org.springframework.security.core.authority.GrantedAuthorityImpl Use the final class SimpleGrantedAuthority or implement your own.
org.springframework.security.core.userdetails.memory.InMemoryDaoImpl Use InMemoryUserDetailsManager instead (or write your own implementation)
org.springframework.security.web.util.IpAddressMatcher use IpAddressMatcher
org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesAuthenticationDetails
org.springframework.security.web.util.RegexRequestMatcher use RegexRequestMatcher
org.springframework.security.web.util.RequestMatcherEditor use RequestMatcherEditor
org.springframework.security.access.hierarchicalroles.UserDetailsServiceWrapper use a RoleHierarchyVoter or use a RoleHierarchyAuthoritiesMapper to populate the Authentication object with the additional authorities.
org.springframework.security.access.hierarchicalroles.UserDetailsWrapper use a RoleHierarchyVoter or RoleHierarchyAuthoritiesMapper instead.
org.springframework.security.core.userdetails.memory.UserMap Use a plain map instead
org.springframework.security.core.userdetails.memory.UserMapEditor
org.springframework.security.web.authentication.preauth.websphere.WebSphere2SpringSecurityPropagationInterceptor
org.springframework.security.web.authentication.preauth.websphere.WebSpherePreAuthenticatedAuthenticationDetailsSource

Deprecated Fields

Field and Description
org.springframework.security.config.Elements.FILTER_INVOCATION_DEFINITION_SOURCE
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY Use the value in WebAttributes directly.
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.SPRING_SECURITY_LAST_USERNAME_KEY If you want to retain the username, cache it in a customized AuthenticationFailureHandler

Deprecated Methods

Method and Description
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.applyAnonymousForThisRequest(HttpServletRequest) no obvious use case and can easily be achieved by other means
org.springframework.security.core.AuthenticationException.clearExtraInformation()
org.springframework.security.access.SecurityConfig.createSingleAttributeList(String) Use createList instead
org.springframework.security.web.authentication.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService.createuserDetails(Authentication, Collection) Use PreAuthenticatedGrantedAuthoritiesUserDetailsService.createUserDetails(Authentication, Collection)
org.springframework.security.core.AuthenticationException.getAuthentication() to avoid potential leaking of sensitive information (e.g. through serialization/remoting).
org.springframework.security.cas.web.CasAuthenticationEntryPoint.getEncodeServiceUrlWithSessionId() since 3.0.0 because CAS is currently on 3.3.5.
org.springframework.security.core.AuthenticationException.getExtraInformation() Use the exception message or use a custom exception if you really need additional information.
org.springframework.security.web.FilterChainProxy.getFilterChainMap() use the list of SecurityFilterChains instead
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.getFilterProcessesUrl()
org.springframework.security.web.authentication.logout.LogoutFilter.getFilterProcessesUrl()
org.springframework.security.config.annotation.authentication.configurers.ldap.LdapAuthenticationProviderConfigurer.passwordEncoder(PasswordEncoder) Use LdapAuthenticationProviderConfigurer.passwordEncoder(org.springframework.security.crypto.password.PasswordEncoder) instead
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.requiresAuthentication(HttpServletRequest, HttpServletResponse) use AbstractAuthenticationProcessingFilter.setRequiresAuthenticationRequestMatcher(RequestMatcher) instead
org.springframework.security.core.AuthenticationException.setAuthentication(Authentication)
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.setAuthenticationEntryPoint(AuthenticationEntryPoint) Use constructor injection
org.springframework.security.web.access.ExceptionTranslationFilter.setAuthenticationEntryPoint(AuthenticationEntryPoint) Use constructor
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.setAuthenticationManager(AuthenticationManager) Use constructor injection
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.setAuthenticationManager(AuthenticationManager) Use constructor injection
org.springframework.security.authentication.ProviderManager.setClearExtraInformation(boolean) the extraInformation property is deprecated
org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.setConvertToUpperCase(boolean) Convert case in the AuthenticationProvider using a GrantedAuthoritiesMapper.
org.springframework.security.access.vote.AbstractAccessDecisionManager.setDecisionVoters(List) Use constructor
org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.setDefaultRole(String) Assign a default role in the AuthenticationProvider using a GrantedAuthoritiesMapper.
org.springframework.security.cas.web.CasAuthenticationEntryPoint.setEncodeServiceUrlWithSessionId(boolean) since 3.0.0 because CAS is currently on 3.3.5.
org.springframework.security.web.session.ConcurrentSessionFilter.setExpiredUrl(String) use constructor injection instead
org.springframework.security.web.FilterChainProxy.setFilterChainMap(Map>) Use the constructor which takes a List<SecurityFilterChain> instead.
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.setFilterProcessesUrl(String) use AbstractAuthenticationProcessingFilter.setRequiresAuthenticationRequestMatcher(RequestMatcher) instead
org.springframework.security.web.authentication.logout.LogoutFilter.setFilterProcessesUrl(String)
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.setIgnoreFailure(boolean) Use the constructor which takes a single AuthenticationManager parameter
org.springframework.security.authentication.AnonymousAuthenticationProvider.setKey(String) Use constructor injection
org.springframework.security.authentication.RememberMeAuthenticationProvider.setKey(String) Use constructor injection
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.setKey(String) use constructor injection instead
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.setKey(String) Use constructor injection
org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint.setLoginFormUrl(String) use constructor injection
org.springframework.security.authentication.ProviderManager.setParent(AuthenticationManager) Use constructor injection
org.springframework.security.authentication.ProviderManager.setProviders(List) Use constructor injection
org.springframework.security.core.token.KeyBasedPersistenceTokenService.setPseudoRandomNumberBits(int) use KeyBasedPersistenceTokenService.setPseudoRandomNumberBytes(int)
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.setRememberMeServices(RememberMeServices) Use constructor injection
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.setRequestCache(RequestCache) Use constructor injection
org.springframework.security.web.access.ExceptionTranslationFilter.setRequestCache(RequestCache) Use constructor
org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy.setRetainedAttributes(List) Override the extractAttributes method instead
org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.setRolePrefix(String) Map the authorities in the AuthenticationProvider using a GrantedAuthoritiesMapper.
org.springframework.security.web.context.SecurityContextPersistenceFilter.setSecurityContextRepository(SecurityContextRepository) Use constructor injection
org.springframework.security.web.session.SessionManagementFilter.setSessionAuthenticationStrategy(SessionAuthenticationStrategy) Use constructor injection
org.springframework.security.web.session.ConcurrentSessionFilter.setSessionRegistry(SessionRegistry) use constructor injection instead
org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.setTokenRepository(PersistentTokenRepository) Use constructor injection
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.setUserAttribute(UserAttribute) use constructor injection instead
org.springframework.security.cas.authentication.CasAuthenticationProvider.setUserDetailsService(UserDetailsService)
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.setUserDetailsService(UserDetailsService) Use constructor injection
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(HttpServletRequest, HttpServletResponse, Authentication) since 3.1. Use AbstractAuthenticationProcessingFilter.successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication) instead.

Deprecated Constructors

Constructor and Description
org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices() Use constructor injection
org.springframework.security.authentication.AccountExpiredException(String, Object)
org.springframework.security.authentication.AccountStatusException(String, Object)
org.springframework.security.acls.domain.AclImpl(ObjectIdentity, Serializable, AclAuthorizationStrategy, AuditLogger, Acl, List, boolean, Sid) Use the version which takes a PermissionGrantingStrategy argument instead.
org.springframework.security.access.vote.AffirmativeBased() Use constructor which takes voter list
org.springframework.security.web.authentication.AnonymousAuthenticationFilter() Use constructor injection version
org.springframework.security.authentication.AnonymousAuthenticationProvider() Use constructor injection
org.springframework.security.core.AuthenticationException(String, Object) Use the exception message or use a custom exception if you really need additional information.
org.springframework.security.authentication.BadCredentialsException(String, Object)
org.springframework.security.web.authentication.www.BasicAuthenticationFilter() Use constructor injection
org.springframework.security.acls.jdbc.BasicLookupStrategy(DataSource, AclCache, AclAuthorizationStrategy, AuditLogger) Use the version which takes a PermissionGrantingStrategy argument instead.
org.springframework.security.web.session.ConcurrentSessionFilter() Use constructor which injects the SessionRegistry.
org.springframework.security.access.vote.ConsensusBased() Use constructor which takes voter list
org.springframework.security.authentication.CredentialsExpiredException(String, Object)
org.springframework.security.authentication.DisabledException(String, Object)
org.springframework.security.acls.domain.EhCacheBasedAclCache(Ehcache) use the second constructor which injects the strategy objects. See SEC-1498.
org.springframework.security.web.access.ExceptionTranslationFilter() Use constructor injection
org.springframework.security.authentication.LockedException(String, Object)
org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint() Use constructor injection
org.springframework.security.openid.OpenID4JavaConsumer(ConsumerManager, List)
org.springframework.security.openid.OpenID4JavaConsumer(List) use the AxFetchListFactory version instead.
org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices() Use constructor injection
org.springframework.security.authentication.ProviderManager() Use constructor which takes provider list
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter() Use constructor injection
org.springframework.security.authentication.RememberMeAuthenticationProvider() Use constructor injection
org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource() Use ServiceAuthenticationDetailsSource(ServiceProperties)
org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource(String) Use ServiceAuthenticationDetailsSource(ServiceProperties,String)
org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices() Use with-args constructor
org.springframework.security.access.vote.UnanimousBased() Use constructor which takes voter list
org.springframework.security.core.userdetails.UsernameNotFoundException(String, Object)