Deprecated API
Contents
-
InterfaceDescriptionUse
OAuth2TokenIntrospectionClaimNames
insteadALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
-
ClassDescriptionUse a
SecurityFilterChain
Bean to configureHttpSecurity
or aWebSecurityCustomizer
Bean to configureWebSecurity
org.springframework.security.config.annotation.web.configurers.oauth2.client.ImplicitGrantConfigurerIt is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client. See reference OAuth 2.0 Implicit Grant.org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfigurationThis is applied internally using SpringWebMvcImportSelectorUse java.util.Base64Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoder
which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoder
which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoder
which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoder
which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoder
which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.UseUnboundIdContainer
instead because ApacheDS 1.x is no longer supported with no GA version to replace it.It is recommended to use a delegation-based strategy of anOAuth2UserService
to support customOAuth2User
types, as it provides much greater flexibility compared to this implementation. See the reference manual for details on how to implement.UseDefaultMapOAuth2AccessTokenResponseConverter
insteadUseDefaultOAuth2AccessTokenResponseMapConverter
insteadUseNimbusJwtDecoder
orJwtDecoders
insteadBasic Authentication did not evolve into a standard. Use Simple Authentication instead.Basic Authentication did not evolve into a standard. useSimpleAuthenticationEncoder
UseAuthenticationPrincipalArgumentResolver
instead.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.useServerFormLoginAuthenticationConverter
instead.UseServerHttpBasicAuthenticationConverter
instead.
-
Annotation InterfaceDescriptionuse @{code org.springframework.security.core.parameters.P}Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.Use
AuthenticationPrincipal
instead.
-
FieldDescriptionsince 5.4 in favor of
AbstractMessageMatcherComposite.logger
This field should no longer be usedThis field should no longer be useduseOAuth2TokenIntrospectionClaimNames.AUD
insteaduseOAuth2TokenIntrospectionClaimNames.EXP
insteaduseOAuth2TokenIntrospectionClaimNames.IAT
insteaduseOAuth2TokenIntrospectionClaimNames.ISS
insteaduseOAuth2TokenIntrospectionClaimNames.NBF
insteaduseOAuth2TokenIntrospectionClaimNames.SUB
insteadBasic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
-
MethodDescriptionUse
HeadersConfigurer.permissionsPolicy(Customizer)
instead.SeeCustomUserTypesOAuth2UserService
for alternative usage.Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.This encryptor is not secure. Instead, look to your data store for a mechanism to query encrypted data.UseClientRegistration.Builder.redirectUri(String)
insteadUseClientRegistration.getRedirectUri()
insteadUseOAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager)
instead. Create an instance ofClientCredentialsOAuth2AuthorizedClientProvider
configured with aDefaultClientCredentialsTokenResponseClient
(or a custom one) and than supply it toDefaultOAuth2AuthorizedClientManager
.TheaccessTokenExpiresSkew
should be configured with the specificReactiveOAuth2AuthorizedClientProvider
implementation, e.g.ClientCredentialsReactiveOAuth2AuthorizedClientProvider
orRefreshTokenReactiveOAuth2AuthorizedClientProvider
.UseServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)
instead. Create an instance ofClientCredentialsReactiveOAuth2AuthorizedClientProvider
configured with aWebClientReactiveClientCredentialsTokenResponseClient
(or a custom one) and than supply it toDefaultReactiveOAuth2AuthorizedClientManager
.TheaccessTokenExpiresSkew
should be configured with the specificOAuth2AuthorizedClientProvider
implementation, e.g.ClientCredentialsOAuth2AuthorizedClientProvider
orRefreshTokenOAuth2AuthorizedClientProvider
.UseServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)
instead. Create an instance ofClientCredentialsOAuth2AuthorizedClientProvider
configured with aDefaultClientCredentialsTokenResponseClient
(or a custom one) and than supply it toDefaultOAuth2AuthorizedClientManager
.UseClaimAccessor.hasClaim(java.lang.String)
instead.It is not recommended to use the implicit flow due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.Since 5.2. Use your own custom converter insteadSince 5.6. UseOAuth2TokenIntrospectionClaimAccessor.getScopes()
insteadUseStrictHttpFirewall.getEncodedUrlBlocklist()
insteadAs of 5.1 in favor ofAuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
-
ConstructorDescriptionALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
-
Enum ConstantDescriptionALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
OAuth2TokenIntrospectionClaimAccessor
instead