Deprecated API

Contents

• Deprecated Interfaces
• Deprecated Classes
• Deprecated Annotation Types
• Deprecated Fields
• Deprecated Methods
• Deprecated Constructors

Deprecated Interfaces

Interface and Description
org.springframework.security.web.util.matcher.RequestVariablesExtractor use RequestMatcher.MatchResult from RequestMatcher.matcher(HttpServletRequest)

Deprecated Classes

Class and Description
org.springframework.security.ldap.server.ApacheDSContainer Use UnboundIdContainer instead because ApacheDS 1.x is no longer supported with no GA version to replace it.
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.crypto.codec.Base64 Use java.util.Base64
org.springframework.security.rsocket.metadata.BasicAuthenticationDecoder Basic Authentication did not evolve into a standard. Use Simple Authentication instead.
org.springframework.security.rsocket.metadata.BasicAuthenticationEncoder Basic Authentication did not evolve into a standard. use SimpleAuthenticationEncoder
org.springframework.security.crypto.password.LdapShaPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.Md4PasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.MessageDigestPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient Use DefaultAuthorizationCodeTokenResponseClient
org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport Use NimbusJwtDecoder or JwtDecoders instead
org.springframework.security.crypto.password.NoOpPasswordEncoder This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequest use Saml2AuthenticationRequestContext
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter use ServerFormLoginAuthenticationConverter instead.
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter Use ServerHttpBasicAuthenticationConverter instead.
org.springframework.security.crypto.password.StandardPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.oauth2.client.web.server.UnAuthenticatedServerOAuth2AuthorizedClientRepository Use AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager instead
org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration This is applied internally using SpringWebMvcImportSelector

Deprecated Annotation Types

Annotation Type and Description
org.springframework.security.web.bind.annotation.AuthenticationPrincipal Use AuthenticationPrincipal instead.
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.
org.springframework.security.access.method.P use @{code org.springframework.security.core.parameters.P}

Deprecated Fields

Field and Description
org.springframework.security.rsocket.metadata.UsernamePasswordMetadata.BASIC_AUTHENTICATION_MIME_TYPE Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
org.springframework.security.rsocket.metadata.BearerTokenMetadata.BEARER_AUTHENTICATION_MIME_TYPE Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
org.springframework.security.oauth2.core.AuthorizationGrantType.IMPLICIT

Deprecated Methods

Method and Description
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.config.annotation.rsocket.RSocketSecurity.basicAuthentication(Customizer<RSocketSecurity.BasicAuthenticationSpec>) Use RSocketSecurity.simpleAuthentication(Customizer)
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory.createAuthenticationRequest(Saml2AuthenticationRequest) please use Saml2AuthenticationRequestFactory.createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext) or Saml2AuthenticationRequestFactory.createPostAuthenticationRequest(Saml2AuthenticationRequestContext) This method will be removed in future versions of Spring Security
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationRequestFactory.createAuthenticationRequest(Saml2AuthenticationRequest)
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation) Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter.extractAuthorities(Jwt) Since 5.2. Use your own custom converter instead
org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.web.util.matcher.AntPathRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getIdpWebSsoUrl() use RelyingPartyRegistration.ProviderDetails.getWebSsoUrl() from RelyingPartyRegistration.getProviderDetails()
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getRemoteIdpEntityId() use RelyingPartyRegistration.ProviderDetails.getEntityId() from RelyingPartyRegistration.getProviderDetails()
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.idpWebSsoUrl(String) use RelyingPartyRegistration.Builder.providerDetails(Consumer< ProviderDetails.Builder >)
org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest.implicit() It is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.
org.springframework.security.crypto.encrypt.Encryptors.queryableText(CharSequence, CharSequence) This encryptor is not secure. Instead, look to your data store for a mechanism to query encrypted data.
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.remoteIdpEntityId(String) use RelyingPartyRegistration.Builder.providerDetails(Consumer< ProviderDetails.Builder >)
org.springframework.security.oauth2.client.web.AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest) Use AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest, HttpServletResponse) instead
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration) The accessTokenExpiresSkew should be configured with the specific ReactiveOAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsReactiveOAuth2AuthorizedClientProvider or RefreshTokenReactiveOAuth2AuthorizedClientProvider.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration) The accessTokenExpiresSkew should be configured with the specific OAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsOAuth2AuthorizedClientProvider or RefreshTokenOAuth2AuthorizedClientProvider.
org.springframework.security.authentication.DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Properties) use DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Map)
org.springframework.security.oauth2.client.web.server.WebSessionOAuth2ServerAuthorizationRequestRepository.setAllowMultipleAuthorizationRequests(boolean)
org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository.setAllowMultipleAuthorizationRequests(boolean)
org.springframework.security.web.server.authentication.AuthenticationWebFilter.setAuthenticationConverter(Function<ServerWebExchange, Mono<Authentication>>) As of 5.1 in favor of AuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
org.springframework.security.oauth2.client.web.method.annotation.OAuth2AuthorizedClientArgumentResolver.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>) Use OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsOAuth2AuthorizedClientProvider configured with a DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>) Use ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsOAuth2AuthorizedClientProvider configured with a DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>) Use ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsReactiveOAuth2AuthorizedClientProvider configured with a WebClientReactiveClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultReactiveOAuth2AuthorizedClientManager.
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer.setMessageExpessionHandler(List<SecurityExpressionHandler<Message<Object>>>)
org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri(URI) OidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri(String)
org.springframework.security.oauth2.client.oidc.web.server.logout.OidcClientInitiatedServerLogoutSuccessHandler.setPostLogoutRedirectUri(URI) OidcClientInitiatedServerLogoutSuccessHandler.setPostLogoutRedirectUri(String)
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy) use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder() Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.

Deprecated Constructors

Constructor and Description
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String) use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.