Deprecated API

Contents

• Packages
• Interfaces
• Classes
• Enums
• Exceptions
• Annotation Types
• Fields
• Methods
• Constructors
• Enum Constants

Packages

Package	Description
org.springframework.security.authentication.rcp	as of 5.6.0 with no replacement

Interfaces

Interface	Description
org.springframework.security.authentication.rcp.RemoteAuthenticationManager	as of 5.6.0 with no replacement
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimAccessor	Use OAuth2TokenIntrospectionClaimAccessor instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames	Use OAuth2TokenIntrospectionClaimNames instead
org.springframework.security.openid.AxFetchListFactory	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDConsumer	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.remoting.dns.DnsResolver	as of 5.6.0 with no replacement
org.springframework.security.remoting.dns.InitialContextFactory	as of 5.6.0 with no replacement
org.springframework.security.saml2.provider.service.authentication.Saml2ErrorCodes	Use Saml2ErrorCodes instead
org.springframework.security.web.header.writers.frameoptions.AllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.util.matcher.RequestVariablesExtractor	use RequestMatcher.MatchResult from RequestMatcher.matcher(HttpServletRequest)

Classes

Class	Description
org.springframework.security.acls.domain.EhCacheBasedAclCache	since 5.6. In favor of JCache based implementations
org.springframework.security.authentication.rcp.RemoteAuthenticationManagerImpl	as of 5.6.0 with no replacement
org.springframework.security.authentication.rcp.RemoteAuthenticationProvider	as of 5.6.0 with no replacement
org.springframework.security.cas.authentication.EhCacheBasedTicketCache	since 5.6. In favor of JCache based implementations
org.springframework.security.config.annotation.web.configurers.oauth2.client.ImplicitGrantConfigurer	It is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client. See reference OAuth 2.0 Implicit Grant.
org.springframework.security.config.annotation.web.configurers.openid.OpenIDLoginConfigurer	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration	This is applied internally using SpringWebMvcImportSelector
org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache	since 5.6. In favor of JCache based implementations
org.springframework.security.crypto.codec.Base64	Use java.util.Base64
org.springframework.security.crypto.password.LdapShaPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.Md4PasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.MessageDigestPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.NoOpPasswordEncoder	This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.StandardPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.ldap.server.ApacheDSContainer	Use UnboundIdContainer instead because ApacheDS 1.x is no longer supported with no GA version to replace it.
org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient	Use DefaultAuthorizationCodeTokenResponseClient
org.springframework.security.oauth2.client.userinfo.CustomUserTypesOAuth2UserService	It is recommended to use a delegation-based strategy of an OAuth2UserService to support custom OAuth2User types, as it provides much greater flexibility compared to this implementation. See the reference manual for details on how to implement.
org.springframework.security.oauth2.client.web.server.UnAuthenticatedServerOAuth2AuthorizedClientRepository	Use AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager instead
org.springframework.security.oauth2.core.endpoint.MapOAuth2AccessTokenResponseConverter	Use DefaultMapOAuth2AccessTokenResponseConverter instead
org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponseMapConverter	Use DefaultOAuth2AccessTokenResponseMapConverter instead
org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport	Use NimbusJwtDecoder or JwtDecoders instead
org.springframework.security.openid.NullAxFetchListFactory	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenID4JavaConsumer	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDAttribute	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDAuthenticationFilter	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDAuthenticationProvider	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDAuthenticationToken	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.RegexBasedAxFetchListFactory	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.remoting.dns.JndiDnsResolver	as of 5.6.0 with no replacement
org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor	as of 5.6.0 with no replacement
org.springframework.security.remoting.rmi.ContextPropagatingRemoteInvocation	as of 5.6.0 with no replacement
org.springframework.security.remoting.rmi.ContextPropagatingRemoteInvocationFactory	as of 5.6.0 with no replacement
org.springframework.security.rsocket.metadata.BasicAuthenticationDecoder	Basic Authentication did not evolve into a standard. Use Simple Authentication instead.
org.springframework.security.rsocket.metadata.BasicAuthenticationEncoder	Basic Authentication did not evolve into a standard. use SimpleAuthenticationEncoder
org.springframework.security.saml2.credentials.Saml2X509Credential	Use Saml2X509Credential instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequest	use Saml2AuthenticationRequestContext
org.springframework.security.saml2.provider.service.authentication.Saml2Error	Use Saml2Error instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails	Use RelyingPartyRegistration.AssertingPartyDetails instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails.Builder	Use RelyingPartyRegistration.AssertingPartyDetails.Builder instead
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver	Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.web.header.writers.frameoptions.AbstractRequestParameterAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter	use ServerFormLoginAuthenticationConverter instead.
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter	Use ServerHttpBasicAuthenticationConverter instead.

Enums

Enum	Description
org.springframework.security.openid.OpenIDAuthenticationStatus	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType	Use Saml2X509Credential.Saml2X509CredentialType instead

Exceptions

Exceptions	Description
org.springframework.security.authentication.rcp.RemoteAuthenticationException	as of 5.6.0 with no replacement
org.springframework.security.openid.AuthenticationCancelledException	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.openid.OpenIDConsumerException	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.remoting.dns.DnsEntryNotFoundException	as of 5.6.0 with no replacement
org.springframework.security.remoting.dns.DnsLookupException	as of 5.6.0 with no replacement

Annotation Types

Annotation Type	Description
org.springframework.security.access.method.P	use @{code org.springframework.security.core.parameters.P}
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity	Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.
org.springframework.security.web.bind.annotation.AuthenticationPrincipal	Use AuthenticationPrincipal instead.

Fields

Field	Description
org.springframework.security.messaging.util.matcher.AbstractMessageMatcherComposite.LOGGER	since 5.4 in favor of AbstractMessageMatcherComposite.logger
org.springframework.security.oauth2.core.AuthorizationGrantType.IMPLICIT
org.springframework.security.oauth2.core.ClientAuthenticationMethod.BASIC	Use ClientAuthenticationMethod.CLIENT_SECRET_BASIC
org.springframework.security.oauth2.core.ClientAuthenticationMethod.POST	Use ClientAuthenticationMethod.CLIENT_SECRET_POST
org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType.TOKEN
org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter.tokenResponseConverter	This field should no longer be used
org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter.tokenResponseParametersConverter	This field should no longer be used
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.AUDIENCE	use OAuth2TokenIntrospectionClaimNames.AUD instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.EXPIRES_AT	use OAuth2TokenIntrospectionClaimNames.EXP instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.ISSUED_AT	use OAuth2TokenIntrospectionClaimNames.IAT instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.ISSUER	use OAuth2TokenIntrospectionClaimNames.ISS instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.NOT_BEFORE	use OAuth2TokenIntrospectionClaimNames.NBF instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.SUBJECT	use OAuth2TokenIntrospectionClaimNames.SUB instead
org.springframework.security.rsocket.metadata.BearerTokenMetadata.BEARER_AUTHENTICATION_MIME_TYPE	Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
org.springframework.security.rsocket.metadata.UsernamePasswordMetadata.BASIC_AUTHENTICATION_MIME_TYPE	Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())

Methods

Method	Description
org.springframework.security.authentication.DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Properties)	use DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Map)
org.springframework.security.config.annotation.rsocket.RSocketSecurity.basicAuthentication(Customizer<RSocketSecurity.BasicAuthenticationSpec>)	Use RSocketSecurity.simpleAuthentication(Customizer)
org.springframework.security.config.annotation.web.builders.HttpSecurity.openidLogin()	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
org.springframework.security.config.annotation.web.builders.WebSecurity.securityInterceptor(FilterSecurityInterceptor)	Use WebSecurity.privilegeEvaluator(WebInvocationPrivilegeEvaluator) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.featurePolicy(String)	Use HeadersConfigurer.permissionsPolicy(Customizer) instead.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.UserInfoEndpointConfig.customUserType(Class<? extends OAuth2User>, String)	See CustomUserTypesOAuth2UserService for alternative usage.
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer.setMessageExpessionHandler(List<SecurityExpressionHandler<Message<Object>>>)
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.featurePolicy(String)	Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead.
org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder()	Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.
org.springframework.security.crypto.encrypt.Encryptors.queryableText(CharSequence, CharSequence)	This encryptor is not secure. Instead, look to your data store for a mechanism to query encrypted data.
org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri(URI)	OidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri(String)
org.springframework.security.oauth2.client.oidc.web.server.logout.OidcClientInitiatedServerLogoutSuccessHandler.setPostLogoutRedirectUri(URI)	OidcClientInitiatedServerLogoutSuccessHandler.setPostLogoutRedirectUri(String)
org.springframework.security.oauth2.client.registration.ClientRegistration.Builder.redirectUriTemplate(String)	Use ClientRegistration.Builder.redirectUri(String) instead
org.springframework.security.oauth2.client.registration.ClientRegistration.getRedirectUriTemplate()	Use ClientRegistration.getRedirectUri() instead
org.springframework.security.oauth2.client.web.AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest)	Use AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest, HttpServletResponse) instead
org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository.setAllowMultipleAuthorizationRequests(boolean)
org.springframework.security.oauth2.client.web.method.annotation.OAuth2AuthorizedClientArgumentResolver.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>)	Use OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsOAuth2AuthorizedClientProvider configured with a DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration)	The accessTokenExpiresSkew should be configured with the specific ReactiveOAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsReactiveOAuth2AuthorizedClientProvider or RefreshTokenReactiveOAuth2AuthorizedClientProvider.
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>)	Use ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsReactiveOAuth2AuthorizedClientProvider configured with a WebClientReactiveClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultReactiveOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration)	The accessTokenExpiresSkew should be configured with the specific OAuth2AuthorizedClientProvider implementation, e.g. ClientCredentialsOAuth2AuthorizedClientProvider or RefreshTokenOAuth2AuthorizedClientProvider.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>)	Use ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager) instead. Create an instance of ClientCredentialsOAuth2AuthorizedClientProvider configured with a DefaultClientCredentialsTokenResponseClient (or a custom one) and than supply it to DefaultOAuth2AuthorizedClientManager.
org.springframework.security.oauth2.client.web.server.WebSessionOAuth2ServerAuthorizationRequestRepository.setAllowMultipleAuthorizationRequests(boolean)
org.springframework.security.oauth2.core.ClaimAccessor.containsClaim(String)	Use ClaimAccessor.hasClaim(java.lang.String) instead.
org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest.implicit()	It is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.
org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter.setTokenResponseConverter(Converter<Map<String, String>, OAuth2AccessTokenResponse>)	Use OAuth2AccessTokenResponseHttpMessageConverter.setAccessTokenResponseConverter(Converter) instead
org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter.setTokenResponseParametersConverter(Converter<OAuth2AccessTokenResponse, Map<String, String>>)	Use OAuth2AccessTokenResponseHttpMessageConverter.setAccessTokenResponseParametersConverter(Converter) instead
org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter.extractAuthorities(Jwt)	Since 5.2. Use your own custom converter instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimAccessor.getScope()	Since 5.6. Use OAuth2TokenIntrospectionClaimAccessor.getScopes() instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException.getError()	Use Saml2AuthenticationException.getSaml2Error() instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory.createAuthenticationRequest(Saml2AuthenticationRequest)	please use Saml2AuthenticationRequestFactory.createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext) or Saml2AuthenticationRequestFactory.createPostAuthenticationRequest(Saml2AuthenticationRequestContext) This method will be removed in future versions of Spring Security
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getIdpEntityId()	Use getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId() instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getLocalSpEntityId()	Use getRelyingPartyRegistration().getEntityId() instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getRecipientUri()	Use getRelyingPartyRegistration().getAssertionConsumerServiceLocation() instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getX509Credentials()	Get the credentials through Saml2AuthenticationToken.getRelyingPartyRegistration() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.assertionConsumerServiceUrlTemplate(String)	Use RelyingPartyRegistration.Builder.assertionConsumerServiceLocation instead.
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.credentials(Consumer<Collection<Saml2X509Credential>>)	Use RelyingPartyRegistration.Builder.signingX509Credentials or RelyingPartyRegistration.Builder.decryptionX509Credentials instead for relying party keys or RelyingPartyRegistration.AssertingPartyDetails.Builder.verificationX509Credentials or RelyingPartyRegistration.AssertingPartyDetails.Builder.encryptionX509Credentials for asserting party keys
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.idpWebSsoUrl(String)	use #assertingPartyDetails(Consumer<AssertingPartyDetails.Builder >)
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.localEntityIdTemplate(String)	Use RelyingPartyRegistration.Builder.entityId instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.providerDetails(Consumer<RelyingPartyRegistration.ProviderDetails.Builder>)	Use RelyingPartyRegistration.Builder.assertingPartyDetails(java.util.function.Consumer<org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails.Builder>) instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.remoteIdpEntityId(String)	use #assertingPartyDetails(Consumer<AssertingPartyDetails.Builder >)
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getAssertionConsumerServiceUrlTemplate()	Use RelyingPartyRegistration.getAssertionConsumerServiceLocation() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getCredentials()	Instead of retrieving all credentials, use the appropriate method for obtaining the correct type
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getDecryptionCredentials()	Use RelyingPartyRegistration.getDecryptionX509Credentials() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getEncryptionCredentials()	Use RelyingPartyRegistration.AssertingPartyDetails.getEncryptionX509Credentials() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getIdpWebSsoUrl()	use RelyingPartyRegistration.AssertingPartyDetails.getSingleSignOnServiceLocation() from RelyingPartyRegistration.getAssertingPartyDetails()
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getLocalEntityIdTemplate()	Use RelyingPartyRegistration.getEntityId() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getProviderDetails()	Use RelyingPartyRegistration.getAssertingPartyDetails() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getRemoteIdpEntityId()	use RelyingPartyRegistration.AssertingPartyDetails.getEntityId() from RelyingPartyRegistration.getAssertingPartyDetails()
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getSigningCredentials()	Use RelyingPartyRegistration.getSigningX509Credentials() instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getVerificationCredentials()	Use {code #getAssertingPartyDetails().getSigningX509Credentials()} instead
org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter.setAuthenticationRequestFactory(Saml2AuthenticationRequestFactory)	use the constructor instead
org.springframework.security.web.firewall.StrictHttpFirewall.getEncodedUrlBlacklist()	Use StrictHttpFirewall.getEncodedUrlBlocklist() instead
org.springframework.security.web.server.authentication.AuthenticationWebFilter.setAuthenticationConverter(Function<ServerWebExchange, Mono<Authentication>>)	As of 5.1 in favor of AuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation)	Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.util.matcher.AntPathRequestMatcher.extractUriTemplateVariables(HttpServletRequest)

Constructors

Constructor	Description
org.springframework.security.oauth2.client.endpoint.AbstractOAuth2AuthorizationGrantRequest(AuthorizationGrantType)	Use AbstractOAuth2AuthorizationGrantRequest(AuthorizationGrantType, ClientRegistration) instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException(Saml2Error)	Use Saml2Error constructor instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken(String, String, String, String, List<Saml2X509Credential>)	Use Saml2AuthenticationToken(RelyingPartyRegistration, String) instead
org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter(RelyingPartyRegistrationRepository)	use the constructor that takes a Saml2AuthenticationRequestFactory
org.springframework.security.saml2.provider.service.web.DefaultSaml2AuthenticationRequestContextResolver(Converter<HttpServletRequest, RelyingPartyRegistration>)	Use DefaultSaml2AuthenticationRequestContextResolver(RelyingPartyRegistrationResolver) instead
org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter(Converter<HttpServletRequest, RelyingPartyRegistration>)	Use Saml2AuthenticationTokenConverter(RelyingPartyRegistrationResolver) instead
org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter(Converter<HttpServletRequest, RelyingPartyRegistration>, Saml2MetadataResolver)	Use Saml2MetadataFilter(RelyingPartyRegistrationResolver, Saml2MetadataResolver) instead
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter(AllowFromStrategy)	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.

Enum Constants

Enum Constant	Description
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode.ALLOW_FROM	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.