Deprecated API

Contents

• Interfaces
• Classes
• Annotation Types
• Methods
• Constructors

Interfaces

Interface	Description
org.springframework.security.web.util.matcher.RequestVariablesExtractor	use RequestMatcher.MatchResult from RequestMatcher.matcher(HttpServletRequest)

Classes

Class	Description
org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration	This is applied internally using SpringWebMvcImportSelector
org.springframework.security.crypto.codec.Base64	Use java.util.Base64
org.springframework.security.crypto.password.LdapShaPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.Md4PasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.MessageDigestPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.NoOpPasswordEncoder	This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.StandardPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.ldap.server.ApacheDSContainer	Use UnboundIdContainer instead because ApacheDS 1.x is no longer supported with no GA version to replace it.
org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient	Use DefaultAuthorizationCodeTokenResponseClient
org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport	Use NimbusJwtDecoder or JwtDecoders instead
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver	Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter	use ServerFormLoginAuthenticationConverter instead.
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter	Use ServerHttpBasicAuthenticationConverter instead.

Annotation Types

Annotation Type	Description
org.springframework.security.access.method.P	use @{code org.springframework.security.core.parameters.P}
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity	Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.
org.springframework.security.web.bind.annotation.AuthenticationPrincipal	Use AuthenticationPrincipal instead.

Methods

Method	Description
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer.setMessageExpessionHandler(List<SecurityExpressionHandler<Message<Object>>>)
org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder()	Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.
org.springframework.security.crypto.encrypt.Encryptors.queryableText(CharSequence, CharSequence)	This encryptor is not secure. Instead, look to your data store for a mechanism to query encrypted data.
org.springframework.security.oauth2.client.web.AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest)	Use AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest, HttpServletResponse) instead
org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository.setAllowMultipleAuthorizationRequests(boolean)
org.springframework.security.oauth2.client.web.method.annotation.OAuth2AuthorizedClientArgumentResolver.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>)	Use OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsOAuth2AuthorizedClientProvider configured with a DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration)	The accessTokenExpiresSkew should be configured with the specific ReactiveOAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsReactiveOAuth2AuthorizedClientProvider or RefreshTokenReactiveOAuth2AuthorizedClientProvider.
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>)	Use ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsReactiveOAuth2AuthorizedClientProvider configured with a WebClientReactiveClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultReactiveOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration)	The accessTokenExpiresSkew should be configured with the specific OAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsOAuth2AuthorizedClientProvider or RefreshTokenOAuth2AuthorizedClientProvider.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>)	Use ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsOAuth2AuthorizedClientProvider configured with a DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.server.WebSessionOAuth2ServerAuthorizationRequestRepository.setAllowMultipleAuthorizationRequests(boolean)
org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter.extractAuthorities(Jwt)	Since 5.2. Use your own custom converter instead
org.springframework.security.web.firewall.StrictHttpFirewall.getEncodedUrlBlacklist()	Use StrictHttpFirewall.getEncodedUrlBlocklist() instead
org.springframework.security.web.server.authentication.AuthenticationWebFilter.setAuthenticationConverter(Function<ServerWebExchange, Mono<Authentication>>)	As of 5.1 in favor of AuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation)	Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.util.matcher.AntPathRequestMatcher.extractUriTemplateVariables(HttpServletRequest)

Constructors

Constructor	Description
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.