Deprecated API

Contents

• Deprecated Interfaces
• Deprecated Classes
• Deprecated Enums
• Deprecated Exceptions
• Deprecated Annotation Types
• Deprecated Fields
• Deprecated Methods
• Deprecated Constructors
• Deprecated Enum Constants

Deprecated Interfaces

Interface and Description
org.springframework.security.web.header.writers.frameoptions.AllowFromStrategy ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.openid.AxFetchListFactory The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDConsumer The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.web.util.matcher.RequestVariablesExtractor use RequestMatcher.MatchResult from RequestMatcher.matcher(HttpServletRequest)
org.springframework.security.saml2.provider.service.authentication.Saml2ErrorCodes Use Saml2ErrorCodes instead

Deprecated Classes

Class and Description
org.springframework.security.web.header.writers.frameoptions.AbstractRequestParameterAllowFromStrategy ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.ldap.server.ApacheDSContainer Use UnboundIdContainer instead because ApacheDS 1.x is no longer supported with no GA version to replace it.
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.crypto.codec.Base64 Use java.util.Base64
org.springframework.security.rsocket.metadata.BasicAuthenticationDecoder Basic Authentication did not evolve into a standard. Use Simple Authentication instead.
org.springframework.security.rsocket.metadata.BasicAuthenticationEncoder Basic Authentication did not evolve into a standard. use SimpleAuthenticationEncoder
org.springframework.security.oauth2.client.userinfo.CustomUserTypesOAuth2UserService It is recommended to use a delegation-based strategy of an OAuth2UserService to support custom OAuth2User types, as it provides much greater flexibility compared to this implementation. See the reference manual for details on how to implement.
org.springframework.security.config.annotation.web.configurers.oauth2.client.ImplicitGrantConfigurer It is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client. See reference OAuth 2.0 Implicit Grant.
org.springframework.security.crypto.password.LdapShaPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.Md4PasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.MessageDigestPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient Use DefaultAuthorizationCodeTokenResponseClient
org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport Use NimbusJwtDecoder or JwtDecoders instead
org.springframework.security.crypto.password.NoOpPasswordEncoder This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.openid.NullAxFetchListFactory The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenID4JavaConsumer The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDAttribute The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDAuthenticationFilter The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDAuthenticationProvider The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDAuthenticationToken The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.config.annotation.web.configurers.openid.OpenIDLoginConfigurer The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.RegexBasedAxFetchListFactory The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails Use RelyingPartyRegistration.AssertingPartyDetails instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails.Builder Use RelyingPartyRegistration.AssertingPartyDetails.Builder instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequest use Saml2AuthenticationRequestContext
org.springframework.security.saml2.provider.service.authentication.Saml2Error Use Saml2Error instead
org.springframework.security.saml2.credentials.Saml2X509Credential Use Saml2X509Credential instead
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter use ServerFormLoginAuthenticationConverter instead.
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter Use ServerHttpBasicAuthenticationConverter instead.
org.springframework.security.crypto.password.StandardPasswordEncoder Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.oauth2.client.web.server.UnAuthenticatedServerOAuth2AuthorizedClientRepository Use AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager instead
org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration This is applied internally using SpringWebMvcImportSelector
org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.

Deprecated Enums

Enum and Description
org.springframework.security.openid.OpenIDAuthenticationStatus The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType Use Saml2X509Credential.Saml2X509CredentialType instead

Deprecated Exceptions

Exceptions and Description
org.springframework.security.openid.AuthenticationCancelledException The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDConsumerException The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.

Deprecated Annotation Types

Annotation Type and Description
org.springframework.security.web.bind.annotation.AuthenticationPrincipal Use AuthenticationPrincipal instead.
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.
org.springframework.security.access.method.P use @{code org.springframework.security.core.parameters.P}

Deprecated Fields

Field and Description
org.springframework.security.rsocket.metadata.UsernamePasswordMetadata.BASIC_AUTHENTICATION_MIME_TYPE Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
org.springframework.security.rsocket.metadata.BearerTokenMetadata.BEARER_AUTHENTICATION_MIME_TYPE Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
org.springframework.security.oauth2.core.AuthorizationGrantType.IMPLICIT
org.springframework.security.messaging.util.matcher.AbstractMessageMatcherComposite.LOGGER since 5.4 in favor of AbstractMessageMatcherComposite.logger

Deprecated Methods

Method and Description
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.assertionConsumerServiceUrlTemplate(String) Use RelyingPartyRegistration.Builder.assertionConsumerServiceLocation instead.
org.springframework.security.config.annotation.rsocket.RSocketSecurity.basicAuthentication(Customizer<RSocketSecurity.BasicAuthenticationSpec>) Use RSocketSecurity.simpleAuthentication(Customizer)
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory.createAuthenticationRequest(Saml2AuthenticationRequest) please use Saml2AuthenticationRequestFactory.createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext) or Saml2AuthenticationRequestFactory.createPostAuthenticationRequest(Saml2AuthenticationRequestContext) This method will be removed in future versions of Spring Security
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationRequestFactory.createAuthenticationRequest(Saml2AuthenticationRequest)
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.credentials(Consumer<Collection<Saml2X509Credential>>) Use RelyingPartyRegistration.Builder.signingX509Credentials or RelyingPartyRegistration.Builder.decryptionX509Credentials instead for relying party keys or RelyingPartyRegistration.AssertingPartyDetails.Builder.verificationX509Credentials or RelyingPartyRegistration.AssertingPartyDetails.Builder.encryptionX509Credentials for asserting party keys
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.UserInfoEndpointConfig.customUserType(Class<? extends OAuth2User>, String) See CustomUserTypesOAuth2UserService for alternative usage.
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation) Use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter.extractAuthorities(Jwt) Since 5.2. Use your own custom converter instead
org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.web.util.matcher.AntPathRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getAssertionConsumerServiceUrlTemplate() Use RelyingPartyRegistration.getAssertionConsumerServiceLocation() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getCredentials() Instead of retrieving all credentials, use the appropriate method for obtaining the correct type
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getDecryptionCredentials() Use RelyingPartyRegistration.getDecryptionX509Credentials() instead
org.springframework.security.web.firewall.StrictHttpFirewall.getEncodedUrlBlacklist() Use StrictHttpFirewall.getEncodedUrlBlocklist() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getEncryptionCredentials() Use RelyingPartyRegistration.AssertingPartyDetails.getEncryptionX509Credentials() instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException.getError() Use Saml2AuthenticationException.getSaml2Error() instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getIdpEntityId() Use getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getIdpWebSsoUrl() use RelyingPartyRegistration.AssertingPartyDetails.getSingleSignOnServiceLocation() from RelyingPartyRegistration.getAssertingPartyDetails()
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getLocalEntityIdTemplate() Use RelyingPartyRegistration.getEntityId() instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getLocalSpEntityId() Use getRelyingPartyRegistration().getEntityId() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getProviderDetails() Use RelyingPartyRegistration.getAssertingPartyDetails() instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getRecipientUri() Use getRelyingPartyRegistration().getAssertionConsumerServiceLocation() instead
org.springframework.security.oauth2.client.registration.ClientRegistration.getRedirectUriTemplate() Use ClientRegistration.getRedirectUri() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getRemoteIdpEntityId() use RelyingPartyRegistration.AssertingPartyDetails.getEntityId() from RelyingPartyRegistration.getAssertingPartyDetails()
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getSigningCredentials() Use RelyingPartyRegistration.getSigningX509Credentials() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getVerificationCredentials() Use {code #getAssertingPartyDetails().getSigningX509Credentials()} instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getX509Credentials() Get the credentials through Saml2AuthenticationToken.getRelyingPartyRegistration() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.idpWebSsoUrl(String) use #assertingPartyDetails(Consumer<AssertingPartyDetails.Builder >)
org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest.implicit() It is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.localEntityIdTemplate(String) Use RelyingPartyRegistration.Builder.entityId instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.openidLogin() The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.config.annotation.web.builders.HttpSecurity.openidLogin(Customizer<OpenIDLoginConfigurer<HttpSecurity>>) The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.providerDetails(Consumer<RelyingPartyRegistration.ProviderDetails.Builder>) Use RelyingPartyRegistration.Builder.assertingPartyDetails(java.util.function.Consumer<org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails.Builder>) instead
org.springframework.security.crypto.encrypt.Encryptors.queryableText(CharSequence, CharSequence) This encryptor is not secure. Instead, look to your data store for a mechanism to query encrypted data.
org.springframework.security.oauth2.client.registration.ClientRegistration.Builder.redirectUriTemplate(String) Use ClientRegistration.Builder.redirectUri(String) instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.remoteIdpEntityId(String) use #assertingPartyDetails(Consumer<AssertingPartyDetails.Builder >)
org.springframework.security.oauth2.client.web.AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest) Use AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest, HttpServletResponse) instead
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration) The accessTokenExpiresSkew should be configured with the specific ReactiveOAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsReactiveOAuth2AuthorizedClientProvider or RefreshTokenReactiveOAuth2AuthorizedClientProvider.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration) The accessTokenExpiresSkew should be configured with the specific OAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsOAuth2AuthorizedClientProvider or RefreshTokenOAuth2AuthorizedClientProvider.
org.springframework.security.authentication.DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Properties) use DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Map)
org.springframework.security.web.server.authentication.AuthenticationWebFilter.setAuthenticationConverter(Function<ServerWebExchange, Mono<Authentication>>) As of 5.1 in favor of AuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter.setAuthenticationRequestFactory(Saml2AuthenticationRequestFactory) use the constructor instead
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.setAuthoritiesExtractor(Converter<Assertion, Collection<? extends GrantedAuthority>>) Use OpenSamlAuthenticationProvider.setResponseAuthenticationConverter(Converter) instead
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.setAuthoritiesMapper(GrantedAuthoritiesMapper) Use OpenSamlAuthenticationProvider.setResponseAuthenticationConverter(Converter) instead
org.springframework.security.oauth2.client.web.method.annotation.OAuth2AuthorizedClientArgumentResolver.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>) Use OAuth2AuthorizedClientArgumentResolver.OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsOAuth2AuthorizedClientProvider configured with a DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>) Use ServletOAuth2AuthorizedClientExchangeFilterFunction.ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsOAuth2AuthorizedClientProvider configured with a DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>) Use ServerOAuth2AuthorizedClientExchangeFilterFunction.ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsReactiveOAuth2AuthorizedClientProvider configured with a WebClientReactiveClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultReactiveOAuth2AuthorizedClientManager.
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer.setMessageExpessionHandler(List<SecurityExpressionHandler<Message<Object>>>)
org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri(URI) OidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri(String)
org.springframework.security.oauth2.client.oidc.web.server.logout.OidcClientInitiatedServerLogoutSuccessHandler.setPostLogoutRedirectUri(URI) OidcClientInitiatedServerLogoutSuccessHandler.setPostLogoutRedirectUri(String)
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationRequestFactory.setProtocolBinding(String) Use RelyingPartyRegistration.Builder.assertionConsumerServiceBinding(Saml2MessageBinding) instead
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy) use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.saml2.provider.service.authentication.OpenSamlAuthenticationProvider.setResponseTimeValidationSkew(Duration) Use OpenSamlAuthenticationProvider.setAssertionValidator(Converter) instead
org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder() Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.

Deprecated Constructors

Constructor and Description
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String) use ConcurrentSessionFilter.ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException(Saml2Error) Use Saml2Error constructor instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException(Saml2Error, String) Use Saml2Error constructor instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException(Saml2Error, String, Throwable) Use Saml2Error constructor instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException(Saml2Error, Throwable) Use Saml2Error constructor instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken(String, String, String, String, List<Saml2X509Credential>) Use Saml2AuthenticationToken.Saml2AuthenticationToken(RelyingPartyRegistration, String) instead
org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter(RelyingPartyRegistrationRepository) use the constructor that takes a Saml2AuthenticationRequestFactory
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter(AllowFromStrategy) ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.

Deprecated Enum Constants

Enum Constant and Description
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode.ALLOW_FROM ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.