Deprecated List (spring-security-docs 5.8.10 API)

Packages
Package Description

org.springframework.security.authentication.rcp
as of 5.6.0 with no replacement

Packages
Package	Description
org.springframework.security.authentication.rcp	as of 5.6.0 with no replacement

Interfaces
Interface	Description
org.springframework.security.access.AccessDecisionManager	Use `AuthorizationManager` instead
org.springframework.security.access.AccessDecisionVoter	Use `AuthorizationManager` instead
org.springframework.security.access.AfterInvocationProvider	Use delegation with `AuthorizationManager`
org.springframework.security.access.annotation.AnnotationMetadataExtractor	Used only by now-deprecated classes. Consider `SecuredAuthorizationManager` for `@Secured` methods.
org.springframework.security.access.intercept.AfterInvocationManager	Use delegation with `AuthorizationManager`
org.springframework.security.access.intercept.aspectj.AspectJCallback	This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.
org.springframework.security.access.intercept.RunAsManager	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.method.MethodSecurityMetadataSource	Use the `use-authorization-manager` attribute for `<method-security>` and `<intercept-methods>` instead or use annotation-based or `AuthorizationManager`-based authorization
org.springframework.security.access.prepost.PostInvocationAttribute	Use `AuthorizationManagerAfterMethodInterceptor` instead
org.springframework.security.access.prepost.PostInvocationAuthorizationAdvice	Use `AuthorizationManagerAfterMethodInterceptor` instead
org.springframework.security.access.prepost.PreInvocationAttribute	Use `AuthorizationManagerBeforeMethodInterceptor` instead
org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice	Use `AuthorizationManagerBeforeMethodInterceptor` instead
org.springframework.security.access.prepost.PrePostInvocationAttributeFactory	Use delegation with `AuthorizationManager`
org.springframework.security.authentication.rcp.RemoteAuthenticationManager	as of 5.6.0 with no replacement
org.springframework.security.messaging.access.intercept.MessageSecurityMetadataSource	Use `MessageMatcherDelegatingAuthorizationManager` instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimAccessor	Use `OAuth2TokenIntrospectionClaimAccessor` instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames	Use `OAuth2TokenIntrospectionClaimNames` instead
org.springframework.security.openid.AxFetchListFactory	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.openid.OpenIDConsumer	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.remoting.dns.DnsResolver	as of 5.6.0 with no replacement
org.springframework.security.remoting.dns.InitialContextFactory	as of 5.6.0 with no replacement
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory	As of 5.7.0, use `Saml2AuthenticationRequestResolver` instead
org.springframework.security.saml2.provider.service.authentication.Saml2ErrorCodes	Use `Saml2ErrorCodes` instead
org.springframework.security.saml2.provider.service.web.Saml2AuthenticationRequestContextResolver	Use `Saml2AuthenticationRequestResolver` instead
org.springframework.security.web.header.writers.frameoptions.AllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.util.matcher.RequestVariablesExtractor	use `RequestMatcher.MatchResult` from `RequestMatcher.matcher(HttpServletRequest)`

Classes
Class	Description
org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource	Use `Jsr250AuthorizationManager` instead
org.springframework.security.access.annotation.Jsr250SecurityConfig	Use `AuthorizationManagerBeforeMethodInterceptor.jsr250()` instead
org.springframework.security.access.annotation.Jsr250Voter	Use `Jsr250AuthorizationManager` instead
org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource	Use `AuthorizationManagerBeforeMethodInterceptor.secured()`
org.springframework.security.access.event.AbstractAuthorizationEvent	Authorization events have moved. Consider `AuthorizationGrantedEvent` and `AuthorizationDeniedEvent`
org.springframework.security.access.event.AuthenticationCredentialsNotFoundEvent	Authentication is now separated from authorization. Consider `AbstractAuthenticationFailureEvent` instead.
org.springframework.security.access.event.AuthorizationFailureEvent	Use `AuthorizationDeniedEvent` instead
org.springframework.security.access.event.AuthorizedEvent	Use `AuthorizationGrantedEvent` instead
org.springframework.security.access.event.LoggerListener	Logging is now embedded in Spring Security components. If you need further logging, please consider using your own `ApplicationListener`
org.springframework.security.access.event.PublicInvocationEvent	Only used by now-deprecated classes. Consider `EventObject.getSource()` to deduce public invocations.
org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory	Use `AuthorizationManager` interceptors instead
org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice	Use `AuthorizationManagerAfterMethodInterceptor` instead
org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice	Use `AuthorizationManagerAfterMethodInterceptor` instead
org.springframework.security.access.intercept.AbstractSecurityInterceptor	Use `AuthorizationFilter` instead for filter security, `AuthorizationChannelInterceptor` for messaging security, or `AuthorizationManagerBeforeMethodInterceptor` and `AuthorizationManagerAfterMethodInterceptor` for method security.
org.springframework.security.access.intercept.AfterInvocationProviderManager	Use delegation with `AuthorizationManager`
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor	Please use `AuthorizationManagerBeforeMethodInterceptor` and `AuthorizationManagerAfterMethodInterceptor` instead
org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor	Use `EnableMethodSecurity` or publish interceptors directly
org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor	This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.
org.springframework.security.access.intercept.aspectj.MethodInvocationAdapter	This class will be removed from the public API. See `JoinPointMethodInvocation` in `spring-security-aspects` for its replacement
org.springframework.security.access.intercept.InterceptorStatusToken	Use delegation with `AuthorizationManager`
org.springframework.security.access.intercept.MethodInvocationPrivilegeEvaluator	Use `AuthorizationManager` instead
org.springframework.security.access.intercept.RunAsImplAuthenticationProvider	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.intercept.RunAsManagerImpl	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.intercept.RunAsUserToken	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource	Use the `use-authorization-manager` attribute for `<method-security>` and `<intercept-methods>` instead or use annotation-based or `AuthorizationManager`-based authorization
org.springframework.security.access.method.AbstractMethodSecurityMetadataSource	Use the `use-authorization-manager` attribute for `<method-security>` and `<intercept-methods>` instead or use annotation-based or `AuthorizationManager`-based authorization
org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource	Use the `use-authorization-manager` attribute for `<method-security>` and `<intercept-methods>` instead or use annotation-based or `AuthorizationManager`-based authorization
org.springframework.security.access.method.MapBasedMethodSecurityMetadataSource	Use the `use-authorization-manager` attribute for `<method-security>` and `<intercept-methods>` instead or use annotation-based or `AuthorizationManager`-based authorization
org.springframework.security.access.prepost.PostInvocationAdviceProvider	Use `AuthorizationManagerAfterMethodInterceptor` instead
org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter	Use `AuthorizationManagerBeforeMethodInterceptor` instead
org.springframework.security.access.prepost.PrePostAdviceReactiveMethodInterceptor	Use `AuthorizationManagerBeforeReactiveMethodInterceptor` or `AuthorizationManagerAfterReactiveMethodInterceptor`
org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource	Use `PreAuthorizeAuthorizationManager` and `PostAuthorizeAuthorizationManager` instead
org.springframework.security.access.vote.AbstractAccessDecisionManager	Use `AuthorizationManager` instead
org.springframework.security.access.vote.AbstractAclVoter	Now used by only-deprecated classes. Generally speaking, in-memory ACL is no longer advised, so no replacement is planned at this point.
org.springframework.security.access.vote.AffirmativeBased	Use `AuthorizationManager` instead
org.springframework.security.access.vote.AuthenticatedVoter	Use `AuthorityAuthorizationManager` instead
org.springframework.security.access.vote.ConsensusBased	Use `AuthorizationManager` instead
org.springframework.security.access.vote.RoleHierarchyVoter	Use `AuthorityAuthorizationManager.setRoleHierarchy(org.springframework.security.access.hierarchicalroles.RoleHierarchy)` instead
org.springframework.security.access.vote.RoleVoter	Use `AuthorityAuthorizationManager` instead
org.springframework.security.access.vote.UnanimousBased	Use `AuthorizationManager` instead
org.springframework.security.acls.domain.EhCacheBasedAclCache	since 5.6. In favor of JCache based implementations
org.springframework.security.authentication.rcp.RemoteAuthenticationManagerImpl	as of 5.6.0 with no replacement
org.springframework.security.authentication.rcp.RemoteAuthenticationProvider	as of 5.6.0 with no replacement
org.springframework.security.authorization.method.ExpressionAttributeAuthorizationDecision	Use `ExpressionAuthorizationDecision` instead
org.springframework.security.cas.authentication.EhCacheBasedTicketCache	since 5.6. In favor of JCache based implementations
org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration	Use `PrePostMethodSecurityConfiguration`, `SecuredMethodSecurityConfiguration`, or `Jsr250MethodSecurityConfiguration` instead
org.springframework.security.config.annotation.web.builders.WebSecurity.MvcMatchersIgnoredRequestConfigurer	use `MvcRequestMatcher.Builder` instead
org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter	Use a `SecurityFilterChain` Bean to configure `HttpSecurity` or a `WebSecurityCustomizer` Bean to configure `WebSecurity`. @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authz) -> authz.anyRequest().authenticated() ); // ... return http.build(); } @Bean public WebSecurityCustomizer webSecurityCustomizer() { return (web) -> web.ignoring().antMatchers("/resources/**"); } See the Spring Security without WebSecurityConfigurerAdapter for more details.
org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer	Use `AuthorizeHttpRequestsConfigurer` instead
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.MvcMatchersAuthorizedUrl	use `MvcRequestMatcher.Builder` instead
org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer	Use `AuthorizeHttpRequestsConfigurer` instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HpkpConfig	see Certificate and Public Key Pinning for more context
org.springframework.security.config.annotation.web.configurers.oauth2.client.ImplicitGrantConfigurer	It is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client. See reference OAuth 2.0 Implicit Grant.
org.springframework.security.config.annotation.web.configurers.openid.OpenIDLoginConfigurer	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer	Use `AuthorizeHttpRequestsConfigurer` instead
org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry	Use `MessageMatcherDelegatingAuthorizationManager` instead
org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration	This is applied internally using SpringWebMvcImportSelector
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer	Use `EnableWebSocketSecurity` instead
org.springframework.security.config.http.FilterInvocationSecurityMetadataSourceParser	Use `use-authorization-manager` property instead
org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser	Use `MethodSecurityBeanDefinitionParser` instead
org.springframework.security.config.method.MethodSecurityMetadataSourceBeanDefinitionParser	Use `<intercept-methods>`, `<method-security>`, or `@EnableMethodSecurity`
org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache	since 5.6. In favor of JCache based implementations
org.springframework.security.crypto.codec.Base64	Use java.util.Base64
org.springframework.security.crypto.password.LdapShaPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use `DelegatingPasswordEncoder` which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.Md4PasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use `DelegatingPasswordEncoder` which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.MessageDigestPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use `DelegatingPasswordEncoder` which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.NoOpPasswordEncoder	This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use `DelegatingPasswordEncoder` which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.StandardPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use `DelegatingPasswordEncoder` which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.ldap.server.ApacheDSContainer	Use `UnboundIdContainer` instead because ApacheDS 1.x is no longer supported with no GA version to replace it.
org.springframework.security.messaging.access.expression.ExpressionBasedMessageSecurityMetadataSourceFactory	Use `MessageMatcherDelegatingAuthorizationManager` instead
org.springframework.security.messaging.access.expression.MessageExpressionVoter	Use `MessageMatcherDelegatingAuthorizationManager` instead
org.springframework.security.messaging.access.intercept.ChannelSecurityInterceptor	Use `AuthorizationChannelInterceptor` instead
org.springframework.security.messaging.access.intercept.DefaultMessageSecurityMetadataSource	Use `MessageMatcherDelegatingAuthorizationManager` instead
org.springframework.security.oauth2.client.endpoint.DefaultPasswordTokenResponseClient	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient	Use `DefaultAuthorizationCodeTokenResponseClient`
org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.endpoint.WebClientReactivePasswordTokenResponseClient	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.PasswordOAuth2AuthorizedClientProvider	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.PasswordReactiveOAuth2AuthorizedClientProvider	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.userinfo.CustomUserTypesOAuth2UserService	It is recommended to use a delegation-based strategy of an `OAuth2UserService` to support custom `OAuth2User` types, as it provides much greater flexibility compared to this implementation. See the reference manual for details on how to implement.
org.springframework.security.oauth2.client.web.server.UnAuthenticatedServerOAuth2AuthorizedClientRepository	Use `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager` instead
org.springframework.security.oauth2.core.endpoint.MapOAuth2AccessTokenResponseConverter	Use `DefaultMapOAuth2AccessTokenResponseConverter` instead
org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponseMapConverter	Use `DefaultOAuth2AccessTokenResponseMapConverter` instead
org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport	Use `NimbusJwtDecoder` or `JwtDecoders` instead
org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken	Please use `BearerTokenAuthenticationToken`
org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter	Use `BearerTokenAuthenticationFilter` instead
org.springframework.security.openid.NullAxFetchListFactory	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.openid.OpenID4JavaConsumer	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.openid.OpenIDAttribute	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.openid.OpenIDAuthenticationFilter	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.openid.OpenIDAuthenticationProvider	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.openid.OpenIDAuthenticationToken	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.openid.RegexBasedAxFetchListFactory	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.remoting.dns.JndiDnsResolver	as of 5.6.0 with no replacement
org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor	as of 5.6.0 with no replacement
org.springframework.security.remoting.rmi.ContextPropagatingRemoteInvocation	as of 5.6.0 with no replacement
org.springframework.security.remoting.rmi.ContextPropagatingRemoteInvocationFactory	as of 5.6.0 with no replacement
org.springframework.security.rsocket.metadata.BasicAuthenticationDecoder	Basic Authentication did not evolve into a standard. Use Simple Authentication instead.
org.springframework.security.rsocket.metadata.BasicAuthenticationEncoder	Basic Authentication did not evolve into a standard. use `SimpleAuthenticationEncoder`
org.springframework.security.saml2.credentials.Saml2X509Credential	Use `Saml2X509Credential` instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequest	use `Saml2AuthenticationRequestContext`
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestContext	Use `Saml2AuthenticationRequestResolver` instead
org.springframework.security.saml2.provider.service.authentication.Saml2Error	Use `Saml2Error` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails	Use `RelyingPartyRegistration.AssertingPartyDetails` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.ProviderDetails.Builder	Use `RelyingPartyRegistration.AssertingPartyDetails.Builder` instead
org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter	Use `Saml2WebSsoAuthenticationFilter` instead
org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationRequestFilter	Use `Saml2WebSsoAuthenticationRequestFilter` instead
org.springframework.security.saml2.provider.service.web.DefaultSaml2AuthenticationRequestContextResolver	Use `Saml2AuthenticationRequestResolver` instead
org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator	Use `AuthorizationManagerWebInvocationPrivilegeEvaluator` instead
org.springframework.security.web.access.expression.WebExpressionVoter	Use `WebExpressionAuthorizationManager` instead
org.springframework.security.web.access.intercept.FilterSecurityInterceptor	Use `AuthorizationFilter` instead
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver	Use `AuthenticationPrincipalArgumentResolver` instead.
org.springframework.security.web.context.HttpRequestResponseHolder	Use `SecurityContextRepository.loadDeferredContext(HttpServletRequest)`
org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper	Use `SecurityContextRepository.loadDeferredContext(HttpServletRequest)` instead.
org.springframework.security.web.context.SecurityContextPersistenceFilter	Use `SecurityContextHolderFilter`
org.springframework.security.web.csrf.LazyCsrfTokenRepository	Use `CsrfTokenRepository.loadDeferredToken(HttpServletRequest, HttpServletResponse)` which returns a `DeferredCsrfToken`
org.springframework.security.web.header.writers.frameoptions.AbstractRequestParameterAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.HpkpHeaderWriter	see Certificate and Public Key Pinning for more context
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter	use `ServerFormLoginAuthenticationConverter` instead.
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter	Use `ServerHttpBasicAuthenticationConverter` instead.

Enums
Enum	Description
org.springframework.security.openid.OpenIDAuthenticationStatus	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.saml2.credentials.Saml2X509Credential.Saml2X509CredentialType	Use `Saml2X509Credential.Saml2X509CredentialType` instead

Exceptions
Exceptions	Description
org.springframework.security.authentication.rcp.RemoteAuthenticationException	as of 5.6.0 with no replacement
org.springframework.security.openid.AuthenticationCancelledException	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.openid.OpenIDConsumerException	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.remoting.dns.DnsEntryNotFoundException	as of 5.6.0 with no replacement
org.springframework.security.remoting.dns.DnsLookupException	as of 5.6.0 with no replacement

Annotation Types
Annotation Type	Description
org.springframework.security.access.method.P	use @{code org.springframework.security.core.parameters.P}
org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity	Use `EnableMethodSecurity` instead
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity	Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.
org.springframework.security.web.bind.annotation.AuthenticationPrincipal	Use `AuthenticationPrincipal` instead.

Fields
Field	Description
org.springframework.security.messaging.util.matcher.AbstractMessageMatcherComposite.LOGGER	since 5.4 in favor of `AbstractMessageMatcherComposite.logger`
org.springframework.security.oauth2.core.AuthorizationGrantType.IMPLICIT
org.springframework.security.oauth2.core.AuthorizationGrantType.PASSWORD	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.core.ClientAuthenticationMethod.BASIC	Use `ClientAuthenticationMethod.CLIENT_SECRET_BASIC`
org.springframework.security.oauth2.core.ClientAuthenticationMethod.POST	Use `ClientAuthenticationMethod.CLIENT_SECRET_POST`
org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType.TOKEN
org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter.tokenResponseConverter	This field should no longer be used
org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter.tokenResponseParametersConverter	This field should no longer be used
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.AUDIENCE	use `OAuth2TokenIntrospectionClaimNames.AUD` instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.EXPIRES_AT	use `OAuth2TokenIntrospectionClaimNames.EXP` instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.ISSUED_AT	use `OAuth2TokenIntrospectionClaimNames.IAT` instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.ISSUER	use `OAuth2TokenIntrospectionClaimNames.ISS` instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.NOT_BEFORE	use `OAuth2TokenIntrospectionClaimNames.NBF` instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.SUBJECT	use `OAuth2TokenIntrospectionClaimNames.SUB` instead
org.springframework.security.rsocket.metadata.BearerTokenMetadata.BEARER_AUTHENTICATION_MIME_TYPE	Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
org.springframework.security.rsocket.metadata.UsernamePasswordMetadata.BASIC_AUTHENTICATION_MIME_TYPE	Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())

Methods
Method	Description
org.springframework.security.authentication.DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Properties)	use `DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Map)`
org.springframework.security.config.annotation.rsocket.RSocketSecurity.basicAuthentication(Customizer<RSocketSecurity.BasicAuthenticationSpec>)	Use `RSocketSecurity.simpleAuthentication(Customizer)`
org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.antMatchers(HttpMethod)	use `AbstractRequestMatcherRegistry.requestMatchers(HttpMethod)` instead
org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.mvcMatchers(String...)	use `AbstractRequestMatcherRegistry.requestMatchers(String...)` instead
org.springframework.security.config.annotation.web.AbstractRequestMatcherRegistry.regexMatchers(HttpMethod, String...)	use `AbstractRequestMatcherRegistry.requestMatchers(RequestMatcher...)` with a `RegexRequestMatcher` instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.antMatcher(String)	use `HttpSecurity.securityMatcher(String...)` instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeRequests()	Use `HttpSecurity.authorizeHttpRequests()` instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.mvcMatcher(String)	use `HttpSecurity.securityMatcher(String...)` instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.openidLogin()	The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
org.springframework.security.config.annotation.web.builders.HttpSecurity.regexMatcher(String)	use `HttpSecurity.securityMatcher(RequestMatcher)` with a `RegexRequestMatcher` instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.requestMatcher(RequestMatcher)	use `HttpSecurity.securityMatcher(RequestMatcher)` instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.RequestMatcherConfigurer.mvcMatchers(HttpMethod, String...)	use `AbstractRequestMatcherRegistry.requestMatchers(HttpMethod, String...)` instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.requestMatchers()	use `HttpSecurity.securityMatchers()` instead
org.springframework.security.config.annotation.web.builders.WebSecurity.IgnoredRequestConfigurer.mvcMatchers(HttpMethod, String...)	use `AbstractRequestMatcherRegistry.requestMatchers(HttpMethod, String...)` instead
org.springframework.security.config.annotation.web.builders.WebSecurity.securityInterceptor(FilterSecurityInterceptor)	Use `WebSecurity.privilegeEvaluator(WebInvocationPrivilegeEvaluator)` instead
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.mvcMatchers(String...)	use `AbstractRequestMatcherRegistry.requestMatchers(String...)` instead
org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.ChannelRequestMatcherRegistry.mvcMatchers(HttpMethod, String...)	use `AbstractRequestMatcherRegistry.requestMatchers(HttpMethod, String...)` instead
org.springframework.security.config.annotation.web.configurers.CsrfConfigurer.ignoringAntMatchers(String...)	use `CsrfConfigurer.ignoringRequestMatchers(RequestMatcher...)` with an `AntPathRequestMatcher` instead
org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry.mvcMatchers(HttpMethod, String...)	use `AbstractRequestMatcherRegistry.requestMatchers(HttpMethod, String...)` instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.featurePolicy(String)	Use `HeadersConfigurer.permissionsPolicy(Customizer)` instead.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.httpPublicKeyPinning()	see Certificate and Public Key Pinning for more context
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig.block(boolean)	use `HeadersConfigurer.XXssConfig.headerValue(XXssProtectionHeaderWriter.HeaderValue)` instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig.xssProtectionEnabled(boolean)	use `HeadersConfigurer.XXssConfig.headerValue(XXssProtectionHeaderWriter.HeaderValue)` instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.UserInfoEndpointConfig.customUserType(Class<? extends OAuth2User>, String)	See `CustomUserTypesOAuth2UserService` for alternative usage.
org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer.StandardInterceptUrlRegistry.mvcMatchers(HttpMethod, String...)	use `AbstractRequestMatcherRegistry.requestMatchers(HttpMethod, String...)` instead
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer.setMessageExpessionHandler(List<SecurityExpressionHandler<Message<Object>>>)
org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec.tokenFromMultipartDataEnabled(boolean)	Use `ServerCsrfTokenRequestAttributeHandler.setTokenFromMultipartDataEnabled(boolean)` instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.featurePolicy(String)	Use `ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)` instead.
org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder()	Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.
org.springframework.security.crypto.argon2.Argon2PasswordEncoder.defaultsForSpringSecurity_v5_2()	Use `Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8()` instead
org.springframework.security.crypto.encrypt.Encryptors.queryableText(CharSequence, CharSequence)	This encryptor is not secure. Instead, look to your data store for a mechanism to query encrypted data.
org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_5()	Use `Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8()` instead
org.springframework.security.crypto.scrypt.SCryptPasswordEncoder.defaultsForSpringSecurity_v4_1()	Use `SCryptPasswordEncoder.defaultsForSpringSecurity_v5_8()` instead
org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder.password()	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri(URI)	`OidcClientInitiatedLogoutSuccessHandler.setPostLogoutRedirectUri(String)`
org.springframework.security.oauth2.client.oidc.web.server.logout.OidcClientInitiatedServerLogoutSuccessHandler.setPostLogoutRedirectUri(URI)	`OidcClientInitiatedServerLogoutSuccessHandler.setPostLogoutRedirectUri(String)`
org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProviderBuilder.password()	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.registration.ClientRegistration.Builder.redirectUriTemplate(String)	Use `ClientRegistration.Builder.redirectUri(String)` instead
org.springframework.security.oauth2.client.registration.ClientRegistration.getRedirectUriTemplate()	Use `ClientRegistration.getRedirectUri()` instead
org.springframework.security.oauth2.client.web.AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest)	Use `AuthorizationRequestRepository.removeAuthorizationRequest(HttpServletRequest, HttpServletResponse)` instead
org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository.setAllowMultipleAuthorizationRequests(boolean)
org.springframework.security.oauth2.client.web.method.annotation.OAuth2AuthorizedClientArgumentResolver.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>)	Use `OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager)` instead. Create an instance of `ClientCredentialsOAuth2AuthorizedClientProvider` configured with a `DefaultClientCredentialsTokenResponseClient` (or a custom one) and than supply it to `DefaultOAuth2AuthorizedClientManager`.
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration)	The `accessTokenExpiresSkew` should be configured with the specific `ReactiveOAuth2AuthorizedClientProvider` implementation, e.g. `ClientCredentialsReactiveOAuth2AuthorizedClientProvider` or `RefreshTokenReactiveOAuth2AuthorizedClientProvider`.
org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>)	Use `ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)` instead. Create an instance of `ClientCredentialsReactiveOAuth2AuthorizedClientProvider` configured with a `WebClientReactiveClientCredentialsTokenResponseClient` (or a custom one) and than supply it to `DefaultReactiveOAuth2AuthorizedClientManager`.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setAccessTokenExpiresSkew(Duration)	The `accessTokenExpiresSkew` should be configured with the specific `OAuth2AuthorizedClientProvider` implementation, e.g. `ClientCredentialsOAuth2AuthorizedClientProvider` or `RefreshTokenOAuth2AuthorizedClientProvider`.
org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest>)	Use `ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)` instead. Create an instance of `ClientCredentialsOAuth2AuthorizedClientProvider` configured with a `DefaultClientCredentialsTokenResponseClient` (or a custom one) and than supply it to `DefaultOAuth2AuthorizedClientManager`.
org.springframework.security.oauth2.client.web.server.WebSessionOAuth2ServerAuthorizationRequestRepository.setAllowMultipleAuthorizationRequests(boolean)
org.springframework.security.oauth2.core.ClaimAccessor.containsClaim(String)	Use `ClaimAccessor.hasClaim(java.lang.String)` instead.
org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest.implicit()	It is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.
org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter.setTokenResponseConverter(Converter<Map<String, String>, OAuth2AccessTokenResponse>)	Use `OAuth2AccessTokenResponseHttpMessageConverter.setAccessTokenResponseConverter(Converter)` instead
org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter.setTokenResponseParametersConverter(Converter<OAuth2AccessTokenResponse, Map<String, String>>)	Use `OAuth2AccessTokenResponseHttpMessageConverter.setAccessTokenResponseParametersConverter(Converter)` instead
org.springframework.security.oauth2.core.oidc.OidcUserInfo.Builder.phoneNumberVerified(String)	Use `OidcUserInfo.Builder.phoneNumberVerified(Boolean)`
org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter.extractAuthorities(Jwt)	Since 5.2. Use your own custom converter instead
org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimAccessor.getScope()	Since 5.6. Use `OAuth2TokenIntrospectionClaimAccessor.getScopes()` instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException.getError()	Use `Saml2AuthenticationException.getSaml2Error()` instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationRequestFactory.createAuthenticationRequest(Saml2AuthenticationRequest)	please use `Saml2AuthenticationRequestFactory.createRedirectAuthenticationRequest(Saml2AuthenticationRequestContext)` or `Saml2AuthenticationRequestFactory.createPostAuthenticationRequest(Saml2AuthenticationRequestContext)` This method will be removed in future versions of Spring Security
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getIdpEntityId()	Use `getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId()` instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getLocalSpEntityId()	Use `getRelyingPartyRegistration().getEntityId()` instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getRecipientUri()	Use `getRelyingPartyRegistration().getAssertionConsumerServiceLocation()` instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken.getX509Credentials()	Get the credentials through `Saml2AuthenticationToken.getRelyingPartyRegistration()` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.assertionConsumerServiceUrlTemplate(String)	Use `RelyingPartyRegistration.Builder.assertionConsumerServiceLocation` instead.
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.credentials(Consumer<Collection<Saml2X509Credential>>)	Use `RelyingPartyRegistration.Builder.signingX509Credentials` or `RelyingPartyRegistration.Builder.decryptionX509Credentials` instead for relying party keys or `RelyingPartyRegistration.AssertingPartyDetails.Builder.verificationX509Credentials` or `RelyingPartyRegistration.AssertingPartyDetails.Builder.encryptionX509Credentials` for asserting party keys
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.idpWebSsoUrl(String)	use `#assertingPartyDetails(Consumer<AssertingPartyDetails.Builder >)`
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.localEntityIdTemplate(String)	Use `RelyingPartyRegistration.Builder.entityId` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.providerDetails(Consumer<RelyingPartyRegistration.ProviderDetails.Builder>)	Use `RelyingPartyRegistration.Builder.assertingPartyDetails(java.util.function.Consumer<org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.AssertingPartyDetails.Builder>)` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.Builder.remoteIdpEntityId(String)	use `#assertingPartyDetails(Consumer<AssertingPartyDetails.Builder >)`
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getAssertionConsumerServiceUrlTemplate()	Use `RelyingPartyRegistration.getAssertionConsumerServiceLocation()` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getCredentials()	Instead of retrieving all credentials, use the appropriate method for obtaining the correct type
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getDecryptionCredentials()	Use `RelyingPartyRegistration.getDecryptionX509Credentials()` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getEncryptionCredentials()	Use `RelyingPartyRegistration.AssertingPartyDetails.getEncryptionX509Credentials()` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getIdpWebSsoUrl()	use `RelyingPartyRegistration.AssertingPartyDetails.getSingleSignOnServiceLocation()` from `RelyingPartyRegistration.getAssertingPartyDetails()`
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getLocalEntityIdTemplate()	Use `RelyingPartyRegistration.getEntityId()` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getProviderDetails()	Use `RelyingPartyRegistration.getAssertingPartyDetails()` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getRemoteIdpEntityId()	use `RelyingPartyRegistration.AssertingPartyDetails.getEntityId()` from `RelyingPartyRegistration.getAssertingPartyDetails()`
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getSigningCredentials()	Use `RelyingPartyRegistration.getSigningX509Credentials()` instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.getVerificationCredentials()	Use {code #getAssertingPartyDetails().getSigningX509Credentials()} instead
org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter.setAuthenticationRequestFactory(Saml2AuthenticationRequestFactory)	use the constructor instead
org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter.setRedirectMatcher(RequestMatcher)	Configure the request matcher in an implementation of `Saml2AuthenticationRequestResolver` instead
org.springframework.security.web.context.SecurityContextRepository.loadContext(HttpRequestResponseHolder)	Use `SecurityContextRepository.loadDeferredContext(HttpServletRequest)` instead.
org.springframework.security.web.firewall.StrictHttpFirewall.getEncodedUrlBlacklist()	Use `StrictHttpFirewall.getEncodedUrlBlocklist()` instead
org.springframework.security.web.header.writers.XXssProtectionHeaderWriter.setBlock(boolean)	use `XXssProtectionHeaderWriter.setHeaderValue(HeaderValue)` instead
org.springframework.security.web.header.writers.XXssProtectionHeaderWriter.setEnabled(boolean)	use `XXssProtectionHeaderWriter.setHeaderValue(HeaderValue)` instead
org.springframework.security.web.server.authentication.AuthenticationWebFilter.setAuthenticationConverter(Function<ServerWebExchange, Mono<Authentication>>)	As of 5.1 in favor of `AuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)`
org.springframework.security.web.server.authorization.ExceptionTranslationWebFilter.setMessageSource(MessageSource)	This class no longer retrieves error messages from a MessageSource
org.springframework.security.web.server.csrf.CsrfWebFilter.setTokenFromMultipartDataEnabled(boolean)	Use `ServerCsrfTokenRequestAttributeHandler.setTokenFromMultipartDataEnabled(boolean)` instead
org.springframework.security.web.server.header.XXssProtectionServerHttpHeadersWriter.setBlock(boolean)	use `XXssProtectionServerHttpHeadersWriter.setHeaderValue(HeaderValue)` instead
org.springframework.security.web.server.header.XXssProtectionServerHttpHeadersWriter.setEnabled(boolean)	use `XXssProtectionServerHttpHeadersWriter.setHeaderValue(HeaderValue)` instead
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation)	Use `ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy)` instead.
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy)	use `ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy)` instead.
org.springframework.security.web.util.matcher.AntPathRequestMatcher.extractUriTemplateVariables(HttpServletRequest)

Constructors
Constructor	Description
org.springframework.security.crypto.argon2.Argon2PasswordEncoder()	Use `Argon2PasswordEncoder.defaultsForSpringSecurity_v5_2()` instead
org.springframework.security.crypto.password.Pbkdf2PasswordEncoder()	Use `Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_5()` instead
org.springframework.security.crypto.scrypt.SCryptPasswordEncoder()	Use `SCryptPasswordEncoder.defaultsForSpringSecurity_v4_1()` instead
org.springframework.security.oauth2.client.endpoint.AbstractOAuth2AuthorizationGrantRequest(AuthorizationGrantType)	Use `AbstractOAuth2AuthorizationGrantRequest(AuthorizationGrantType, ClientRegistration)` instead
org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest.Builder()	Use `Builder(RelyingPartyRegistration)` instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException(Saml2Error)	Use `Saml2Error` constructor instead
org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken(String, String, String, String, List<Saml2X509Credential>)	Use `Saml2AuthenticationToken(RelyingPartyRegistration, String)` instead
org.springframework.security.saml2.provider.service.web.DefaultSaml2AuthenticationRequestContextResolver(Converter<HttpServletRequest, RelyingPartyRegistration>)	Use `DefaultSaml2AuthenticationRequestContextResolver(RelyingPartyRegistrationResolver)` instead
org.springframework.security.saml2.provider.service.web.Saml2AuthenticationTokenConverter(Converter<HttpServletRequest, RelyingPartyRegistration>)	Use `Saml2AuthenticationTokenConverter(RelyingPartyRegistrationResolver)` instead
org.springframework.security.saml2.provider.service.web.Saml2MetadataFilter(Converter<HttpServletRequest, RelyingPartyRegistration>, Saml2MetadataResolver)	Use `Saml2MetadataFilter(RelyingPartyRegistrationResolver, Saml2MetadataResolver)` instead
org.springframework.security.saml2.provider.service.web.Saml2WebSsoAuthenticationRequestFilter(RelyingPartyRegistrationRepository)	use the constructor that takes a `Saml2AuthenticationRequestFactory`
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter(AllowFromStrategy)	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String)	use `ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy)` with `SimpleRedirectSessionInformationExpiredStrategy` instead.

Enum Constants
Enum Constant	Description
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode.ALLOW_FROM	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.

Deprecated API

Contents