Deprecated API

Contents

• Deprecated Interfaces
• Deprecated Classes
• Deprecated Annotation Types
• Deprecated Methods
• Deprecated Constructors

Deprecated Interfaces

Interface and Description
org.springframework.security.web.util.matcher.RequestVariablesExtractor use RequestMatcher.MatchResult from RequestMatcher.matcher(HttpServletRequest)

Deprecated Classes

Class and Description
org.springframework.security.ldap.server.ApacheDSContainer Use UnboundIdContainer instead because ApacheDS 1.x is no longer supported with no GA version to replace it.
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.crypto.codec.Base64 Use java.util.Base64
org.springframework.security.crypto.password.LdapShaPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.Md4PasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.MessageDigestPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient Use DefaultAuthorizationCodeTokenResponseClient
org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport Use NimbusJwtDecoder or JwtDecoders instead
org.springframework.security.crypto.password.NoOpPasswordEncoder This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades.
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter use ServerFormLoginAuthenticationConverter instead.
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter Use ServerHttpBasicAuthenticationConverter instead.
org.springframework.security.crypto.password.StandardPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration This is applied internally using SpringWebMvcImportSelector

Deprecated Annotation Types

Annotation Type and Description
org.springframework.security.web.bind.annotation.AuthenticationPrincipal Use AuthenticationPrincipal instead.
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.
org.springframework.security.access.method.P use @{code org.springframework.security.core.parameters.P}

Deprecated Methods

Method and Description
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation) Use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter.extractAuthorities(Jwt) Since 5.2. Use your own custom converter instead
org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.web.util.matcher.AntPathRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.oauth2.client.web.AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest) Use AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest, HttpServletResponse) instead
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration) The accessTokenExpiresSkew should be configured with the specific ReactiveOAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsReactiveOAuth2AuthorizedClientProvider or RefreshTokenReactiveOAuth2AuthorizedClientProvider.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration) The accessTokenExpiresSkew should be configured with the specific OAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsOAuth2AuthorizedClientProvider or RefreshTokenOAuth2AuthorizedClientProvider.
org.springframework.security.web.server.authentication.AuthenticationWebFilter.setAuthenticationConverter(Function<ServerWebExchange, Mono<Authentication>>) As of 5.1 in favor of AuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
org.springframework.security.oauth2.client.web.method.annotation.OAuth2AuthorizedClientArgumentResolver.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>) Use OAuth2AuthorizedClientArgumentResolver.OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsOAuth2AuthorizedClientProvider configured with a DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>) Use ServletOAuth2AuthorizedClientExchangeFilterFunction.ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsOAuth2AuthorizedClientProvider configured with a DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>) Use ServerOAuth2AuthorizedClientExchangeFilterFunction.ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsReactiveOAuth2AuthorizedClientProvider configured with a WebClientReactiveClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultReactiveOAuth2AuthorizedClientManager.
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer.setMessageExpessionHandler(List<SecurityExpressionHandler<Message<Object>>>)
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy) use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder() Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.

Deprecated Constructors

Constructor and Description
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String) use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.