Deprecated API

Contents

• Deprecated Interfaces
• Deprecated Classes
• Deprecated Annotation Types
• Deprecated Methods
• Deprecated Constructors

Deprecated Interfaces

Interface and Description
org.springframework.security.authentication.encoding.PasswordEncoder It is recommended to use PasswordEncoder instead which better accommodates best practice of randomly generated salt that is included with the password.

Deprecated Classes

Class and Description
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.authentication.encoding.BaseDigestPasswordEncoder This is deprecated and marked for deletion. Replace with an implementation of PasswordEncoder
org.springframework.security.authentication.encoding.BasePasswordEncoder This is deprecated and marked for deletion. Replace with an implementation of PasswordEncoder
org.springframework.security.authentication.encoding.LdapShaPasswordEncoder @deprecated This is deprecated and marked for deletion. Replace with of LdapShaPasswordEncoder
org.springframework.security.crypto.password.LdapShaPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.authentication.encoding.Md4PasswordEncoder This is deprecated and marked for deletion. Replace with an implementation of Md4PasswordEncoder
org.springframework.security.crypto.password.Md4PasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.authentication.encoding.Md5PasswordEncoder This is deprecated and marked for deletion. Replace with an implementation of MessageDigestPasswordEncoder with an algorithm of "MD5"
org.springframework.security.authentication.encoding.MessageDigestPasswordEncoder This is deprecated and marked for deletion. Replace with an implementation of MessageDigestPasswordEncoder
org.springframework.security.crypto.password.MessageDigestPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.NoOpPasswordEncoder This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades.
org.springframework.security.authentication.encoding.PlaintextPasswordEncoder This class will be removed in Spring Security 5. For passivity switch to NoOpPasswordEncoder.
org.springframework.security.authentication.encoding.ShaPasswordEncoder This is deprecated and marked for deletion. Replace with an implementation of MessageDigestPasswordEncoder with an algorithm "SHA-$strength" (i.e. "SHA-1" or "SHA-256").
org.springframework.security.crypto.password.StandardPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration This is applied internally using SpringWebMvcImportSelector

Deprecated Annotation Types

Annotation Type and Description
org.springframework.security.web.bind.annotation.AuthenticationPrincipal Use AuthenticationPrincipal instead.
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.

Deprecated Methods

Method and Description
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation) Use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.config.annotation.authentication.configurers.ldap.LdapAuthenticationProviderConfigurer.passwordEncoder(PasswordEncoder) Use LdapAuthenticationProviderConfigurer.passwordEncoder(org.springframework.security.crypto.password.PasswordEncoder) instead
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer.setMessageExpessionHandler(List<SecurityExpressionHandler<Message<Object>>>)
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy) use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder() Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.

Deprecated Constructors

Constructor and Description
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String) use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.