Deprecated API

Contents

• Deprecated Classes
• Deprecated Annotation Types
• Deprecated Methods
• Deprecated Constructors

Deprecated Classes

Class and Description
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.crypto.codec.Base64 Use java.util.Base64
org.springframework.security.crypto.password.LdapShaPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades.
org.springframework.security.crypto.password.Md4PasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades.
org.springframework.security.crypto.password.MessageDigestPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades.
org.springframework.security.crypto.password.NoOpPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades.
org.springframework.security.crypto.password.StandardPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way funciton like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades.
org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration This is applied internally using SpringWebMvcImportSelector

Deprecated Annotation Types

Annotation Type and Description
org.springframework.security.web.bind.annotation.AuthenticationPrincipal Use AuthenticationPrincipal instead.
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.
org.springframework.security.access.method.P use @{code org.springframework.security.core.parameters.P}

Deprecated Methods

Method and Description
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation) Use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer.setMessageExpessionHandler(List<SecurityExpressionHandler<Message<Object>>>)
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy) use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.

Deprecated Constructors

Constructor and Description
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String) use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.