Deprecated API

Contents

• Terminally Deprecated
• Interfaces
• Classes
• Annotation Interfaces
• Fields
• Methods
• Constructors
• Enum Constants

Terminally Deprecated Elements

Element	Description
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.apply(C)	For removal in 7.0. Use AbstractConfiguredSecurityBuilder.with(SecurityConfigurerAdapter, Customizer) instead.
org.springframework.security.config.annotation.SecurityConfigurerAdapter.and()	For removal in 7.0. Use the lambda based configuration instead.
org.springframework.security.config.annotation.web.builders.HttpSecurity.anonymous()	For removal in 7.0. Use HttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeHttpRequests()	For removal in 7.0. Use HttpSecurity.authorizeHttpRequests(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.cors()	For removal in 7.0. Use HttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.csrf()	For removal in 7.0. Use HttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.exceptionHandling()	For removal in 7.0. Use HttpSecurity.exceptionHandling(Customizer) or exceptionHandling(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.formLogin()	For removal in 7.0. Use HttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.headers()	For removal in 7.0. Use HttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.httpBasic()	For removal in 7.0. Use HttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.jee()	For removal in 7.0. Use HttpSecurity.jee(Customizer) or jee(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.logout()	For removal in 7.0. Use HttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2Client()	For removal in 7.0. Use HttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2Login()	For removal in 7.0. Use HttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2ResourceServer()	For removal in 7.0. Use HttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.portMapper()	For removal in 7.0. Use HttpSecurity.portMapper(Customizer) or portMapper(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.rememberMe()	For removal in 7.0. Use HttpSecurity.rememberMe(Customizer) or rememberMe(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.requestCache()	For removal in 7.0. Use HttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.RequestMatcherConfigurer.and()	Use the lambda based configuration instead. For example: @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(Customizer.withDefaults()); return http.build(); } }
org.springframework.security.config.annotation.web.builders.HttpSecurity.requiresChannel()	For removal in 7.0. Use HttpSecurity.requiresChannel(Customizer) or requiresChannel(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Login()	For removal in 7.0. Use HttpSecurity.saml2Login(Customizer) or saml2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Logout()	For removal in 7.0. Use HttpSecurity.saml2Logout(Customizer) or saml2Logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Metadata()	For removal in 7.0. Use HttpSecurity.saml2Metadata(Customizer) or saml2Metadata(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.securityContext()	For removal in 7.0. Use HttpSecurity.securityContext(Customizer) or securityContext(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.securityMatchers()	For removal in 7.0. Use HttpSecurity.securityMatchers(Customizer) or securityMatchers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.servletApi()	For removal in 7.0. Use HttpSecurity.servletApi(Customizer) or servletApi(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.sessionManagement()	For removal in 7.0. Use HttpSecurity.sessionManagement(Customizer) or sessionManagement(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.x509()	For removal in 7.0. Use HttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.and()	For removal in 7.0. Use the lambda based configuration instead.
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.shouldFilterAllDispatcherTypes(boolean)	Permit access to the DispatcherType instead. @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.ChannelRequestMatcherRegistry.and()	For removal in 7.0. Use HttpSecurity.requiresChannel(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.cacheControl()	For removal in 7.0. Use HeadersConfigurer.cacheControl(Customizer) or cacheControl(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CacheControlConfig.and()	For removal in 7.0. Use HeadersConfigurer.cacheControl(Customizer) or cacheControl(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.contentSecurityPolicy(String)	For removal in 7.0. Use HeadersConfigurer.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ContentSecurityPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.contentTypeOptions()	For removal in 7.0. Use HeadersConfigurer.contentTypeOptions(Customizer) or contentTypeOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ContentTypeOptionsConfig.and()	For removal in 7.0. Use HeadersConfigurer.contentTypeOptions(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginEmbedderPolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginEmbedderPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginOpenerPolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginOpenerPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginResourcePolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginResourcePolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.frameOptions()	For removal in 7.0. Use HeadersConfigurer.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.FrameOptionsConfig.and()	For removal in 7.0. Use HeadersConfigurer.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HstsConfig.and()	For removal in 7.0. Use HeadersConfigurer.httpStrictTransportSecurity(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.httpStrictTransportSecurity()	For removal in 7.0. Use HeadersConfigurer.httpStrictTransportSecurity(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy()	For removal in 7.0. Use HeadersConfigurer.permissionsPolicy(Customizer) or permissionsPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.PermissionsPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.permissionsPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.referrerPolicy()	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy)	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ReferrerPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.xssProtection()	For removal in 7.0. Use HeadersConfigurer.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig.and()	For removal in 7.0. Use HeadersConfigurer.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer.authorizationCodeGrant()	For removal in 7.0. Use OAuth2ClientConfigurer.authorizationCodeGrant(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer.AuthorizationCodeGrantConfigurer.and()	For removal in 7.0. Use OAuth2ClientConfigurer.authorizationCodeGrant(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.authorizationEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.authorizationEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.AuthorizationEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.authorizationEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.redirectionEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.redirectionEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.RedirectionEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.redirectionEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.tokenEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.tokenEndpoint(Customizer) or tokenEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.TokenEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.tokenEndpoint(Customizer) or tokenEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.userInfoEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.userInfoEndpoint(Customizer) or userInfoEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.UserInfoEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.userInfoEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OidcLogoutConfigurer.and()
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.jwt()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.JwtConfigurer.and()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.opaqueToken()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.opaqueToken(Customizer) or opaqueToken(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.logoutRequest()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutRequest(Customizer) or logoutRequest(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.LogoutRequestConfigurer.and()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutRequest(Customizer) or logoutRequest(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.logoutResponse()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutResponse(Customizer) or logoutResponse(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.LogoutResponseConfigurer.and()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutResponse(Customizer) or logoutResponse(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer.ConcurrencyControlConfigurer.and()	For removal in 7.0. Use SessionManagementConfigurer.sessionConcurrency(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.anonymous()	For removal in 7.0. Use ServerHttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.AnonymousSpec.and()	For removal in 7.0. Use ServerHttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.authorizeExchange()	For removal in 7.0. Use ServerHttpSecurity.authorizeExchange(Customizer) or authorizeExchange(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.AuthorizeExchangeSpec.and()	For removal in 7.0. Use ServerHttpSecurity.authorizeExchange(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.cors()	For removal in 7.0. Use ServerHttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.CorsSpec.and()	For removal in 7.0. Use ServerHttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.csrf()	For removal in 7.0. Use ServerHttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec.and()	For removal in 7.0. Use ServerHttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.exceptionHandling()	For removal in 7.0. Use ServerHttpSecurity.exceptionHandling(Customizer) or exceptionHandling(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.ExceptionHandlingSpec.and()	For removal in 7.0. Use ServerHttpSecurity.exceptionHandling(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.formLogin()	For removal in 7.0. Use ServerHttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.FormLoginSpec.and()	For removal in 7.0. Use ServerHttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.headers()	For removal in 7.0. Use ServerHttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.and()	For removal in 7.0. Use ServerHttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.cache()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.cache(Customizer) or cache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(String)	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.contentTypeOptions()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentTypeOptions(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()	For removal in 7.0. Use #featurePolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.frameOptions()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.hsts()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.hsts(Customizer) or hsts(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.HstsSpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.hsts(Customizer) or hsts(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.permissionsPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.referrerPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy)	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.xssProtection()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.httpBasic()	For removal in 7.0. Use ServerHttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HttpBasicSpec.and()	For removal in 7.0. Use ServerHttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HttpsRedirectSpec.and()	use ServerHttpSecurity.redirectToHttps(Customizer)
org.springframework.security.config.web.server.ServerHttpSecurity.logout()	For removal in 7.0. Use ServerHttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.LogoutSpec.and()	For removal in 7.0. Use ServerHttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2Client()	For removal in 7.0. Use ServerHttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ClientSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2Login()	For removal in 7.0. Use ServerHttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2LoginSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2ResourceServer()	For removal in 7.0. Use ServerHttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.jwt()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.JwtSpec.and()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer) or opaqueToken(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.OpaqueTokenSpec.and()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OidcLogoutSpec.and()
org.springframework.security.config.web.server.ServerHttpSecurity.passwordManagement()	For removal in 7.0. Use ServerHttpSecurity.passwordManagement(Customizer) or passwordManagement(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.PasswordManagementSpec.and()	For removal in 7.0. Use ServerHttpSecurity.passwordManagement(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.redirectToHttps()	For removal in 7.0. Use ServerHttpSecurity.redirectToHttps(Customizer) or redirectToHttps(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.requestCache()	For removal in 7.0. Use ServerHttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.RequestCacheSpec.and()	For removal in 7.0. Use ServerHttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.x509()	For removal in 7.0. Use ServerHttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.X509Spec.and()	For removal in 7.0. Use ServerHttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.ldap.server.ApacheDSContainer	For removal in 7.0. Use UnboundIdContainer instead because ApacheDS 1.x is no longer supported with no GA version to replace it.
org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService.setAccessibleScopes(Set<String>)	Use OidcUserService.setRetrieveUserInfo(Predicate) instead
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver(String...)	use JwtIssuerAuthenticationManagerResolver.fromTrustedIssuers(String...)
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver(Collection<String>)	use JwtIssuerAuthenticationManagerResolver.fromTrustedIssuers(Collection)
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerReactiveAuthenticationManagerResolver(String...)	use JwtIssuerReactiveAuthenticationManagerResolver.fromTrustedIssuers(String...)
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerReactiveAuthenticationManagerResolver(Collection<String>)	use JwtIssuerReactiveAuthenticationManagerResolver.fromTrustedIssuers(Collection)
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.withRelyingPartyRegistration(RelyingPartyRegistration)	Use RelyingPartyRegistration.mutate() instead
org.springframework.security.web.access.intercept.AuthorizationFilter.setShouldFilterAllDispatcherTypes(boolean)	Permit access to the DispatcherType instead. @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
org.springframework.security.web.savedrequest.SavedCookie(String, String, String, String, int, String, boolean, int)	use SavedCookie(String, String, String, int, String, boolean) instead
org.springframework.security.web.savedrequest.SavedCookie.getComment()
org.springframework.security.web.savedrequest.SavedCookie.getVersion()

Deprecated Interfaces

Interface	Description
org.springframework.security.access.AccessDecisionManager	Use AuthorizationManager instead
org.springframework.security.access.AccessDecisionVoter	Use AuthorizationManager instead
org.springframework.security.access.AfterInvocationProvider	Use delegation with AuthorizationManager
org.springframework.security.access.annotation.AnnotationMetadataExtractor	Used only by now-deprecated classes. Consider SecuredAuthorizationManager for `@Secured` methods.
org.springframework.security.access.intercept.AfterInvocationManager	Use delegation with AuthorizationManager
org.springframework.security.access.intercept.aspectj.AspectJCallback	This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.
org.springframework.security.access.intercept.RunAsManager	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.method.MethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.prepost.PostInvocationAttribute	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.prepost.PostInvocationAuthorizationAdvice	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.prepost.PreInvocationAttribute	Use AuthorizationManagerBeforeMethodInterceptor instead
org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice	Use AuthorizationManagerBeforeMethodInterceptor instead
org.springframework.security.access.prepost.PrePostInvocationAttributeFactory	Use delegation with AuthorizationManager
org.springframework.security.cas.web.authentication.ServiceAuthenticationDetails	Please use org.springframework.security.cas.authentication.ServiceAuthenticationDetails
org.springframework.security.messaging.access.intercept.MessageSecurityMetadataSource	Use MessageMatcherDelegatingAuthorizationManager instead
org.springframework.security.web.header.writers.frameoptions.AllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.util.matcher.RequestVariablesExtractor	use RequestMatcher.MatchResult from RequestMatcher.matcher(HttpServletRequest)

Deprecated Classes

Class	Description
org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource	Use Jsr250AuthorizationManager instead
org.springframework.security.access.annotation.Jsr250SecurityConfig	Use AuthorizationManagerBeforeMethodInterceptor.jsr250() instead
org.springframework.security.access.annotation.Jsr250Voter	Use Jsr250AuthorizationManager instead
org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource	Use AuthorizationManagerBeforeMethodInterceptor.secured()
org.springframework.security.access.event.AbstractAuthorizationEvent	Authorization events have moved. Consider AuthorizationGrantedEvent and AuthorizationDeniedEvent
org.springframework.security.access.event.AuthenticationCredentialsNotFoundEvent	Authentication is now separated from authorization. Consider AbstractAuthenticationFailureEvent instead.
org.springframework.security.access.event.AuthorizationFailureEvent	Use AuthorizationDeniedEvent instead
org.springframework.security.access.event.AuthorizedEvent	Use AuthorizationGrantedEvent instead
org.springframework.security.access.event.LoggerListener	Logging is now embedded in Spring Security components. If you need further logging, please consider using your own ApplicationListener
org.springframework.security.access.event.PublicInvocationEvent	Only used by now-deprecated classes. Consider EventObject.getSource() to deduce public invocations.
org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory	Use AuthorizationManager interceptors instead
org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.intercept.AbstractSecurityInterceptor	Use AuthorizationFilter instead for filter security, AuthorizationChannelInterceptor for messaging security, or AuthorizationManagerBeforeMethodInterceptor and AuthorizationManagerAfterMethodInterceptor for method security.
org.springframework.security.access.intercept.AfterInvocationProviderManager	Use delegation with AuthorizationManager
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor	Please use AuthorizationManagerBeforeMethodInterceptor and AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor	Use EnableMethodSecurity or publish interceptors directly
org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor	This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.
org.springframework.security.access.intercept.aspectj.MethodInvocationAdapter	This class will be removed from the public API. See `JoinPointMethodInvocation` in `spring-security-aspects` for its replacement
org.springframework.security.access.intercept.InterceptorStatusToken	Use delegation with AuthorizationManager
org.springframework.security.access.intercept.MethodInvocationPrivilegeEvaluator	Use AuthorizationManager instead
org.springframework.security.access.intercept.RunAsImplAuthenticationProvider	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.intercept.RunAsManagerImpl	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.intercept.RunAsUserToken	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.method.AbstractMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.method.MapBasedMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.prepost.PostInvocationAdviceProvider	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter	Use AuthorizationManagerBeforeMethodInterceptor instead
org.springframework.security.access.prepost.PrePostAdviceReactiveMethodInterceptor	Use AuthorizationManagerBeforeReactiveMethodInterceptor or AuthorizationManagerAfterReactiveMethodInterceptor
org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource	Use PreAuthorizeAuthorizationManager and PostAuthorizeAuthorizationManager instead
org.springframework.security.access.vote.AbstractAccessDecisionManager	Use AuthorizationManager instead
org.springframework.security.access.vote.AbstractAclVoter	Now used by only-deprecated classes. Generally speaking, in-memory ACL is no longer advised, so no replacement is planned at this point.
org.springframework.security.access.vote.AffirmativeBased	Use AuthorizationManager instead
org.springframework.security.access.vote.AuthenticatedVoter	Use AuthorityAuthorizationManager instead
org.springframework.security.access.vote.ConsensusBased	Use AuthorizationManager instead
org.springframework.security.access.vote.RoleHierarchyVoter	Use AuthorityAuthorizationManager.setRoleHierarchy(org.springframework.security.access.hierarchicalroles.RoleHierarchy) instead
org.springframework.security.access.vote.RoleVoter	Use AuthorityAuthorizationManager instead
org.springframework.security.access.vote.UnanimousBased	Use AuthorizationManager instead
org.springframework.security.authorization.method.ExpressionAttributeAuthorizationDecision	Use ExpressionAuthorizationDecision instead
org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration	Use PrePostMethodSecurityConfiguration, SecuredMethodSecurityConfiguration, or Jsr250MethodSecurityConfiguration instead
org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer	Use AuthorizeHttpRequestsConfigurer instead
org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer	Use AuthorizeHttpRequestsConfigurer instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HpkpConfig	see Certificate and Public Key Pinning for more context
org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer	Use AuthorizeHttpRequestsConfigurer instead
org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry	Use MessageMatcherDelegatingAuthorizationManager instead
org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration	This is applied internally using SpringWebMvcImportSelector
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer	Use EnableWebSocketSecurity instead
org.springframework.security.config.http.FilterInvocationSecurityMetadataSourceParser	Use `use-authorization-manager` property instead
org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser	Use MethodSecurityBeanDefinitionParser instead
org.springframework.security.config.method.MethodSecurityMetadataSourceBeanDefinitionParser	Use <intercept-methods>, <method-security>, or @EnableMethodSecurity
org.springframework.security.crypto.codec.Base64	Use java.util.Base64
org.springframework.security.crypto.password.LdapShaPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.Md4PasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.MessageDigestPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.NoOpPasswordEncoder	This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.crypto.password.StandardPasswordEncoder	Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
org.springframework.security.ldap.server.ApacheDSContainer	For removal in 7.0. Use UnboundIdContainer instead because ApacheDS 1.x is no longer supported with no GA version to replace it.
org.springframework.security.messaging.access.expression.ExpressionBasedMessageSecurityMetadataSourceFactory	Use MessageMatcherDelegatingAuthorizationManager instead
org.springframework.security.messaging.access.expression.MessageExpressionVoter	Use MessageMatcherDelegatingAuthorizationManager instead
org.springframework.security.messaging.access.intercept.ChannelSecurityInterceptor	Use AuthorizationChannelInterceptor instead
org.springframework.security.messaging.access.intercept.DefaultMessageSecurityMetadataSource	Use MessageMatcherDelegatingAuthorizationManager instead
org.springframework.security.oauth2.client.endpoint.DefaultPasswordTokenResponseClient	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.endpoint.WebClientReactivePasswordTokenResponseClient	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.PasswordOAuth2AuthorizedClientProvider	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.PasswordReactiveOAuth2AuthorizedClientProvider	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken	Please use BearerTokenAuthenticationToken
org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter	Use BearerTokenAuthenticationFilter instead
org.springframework.security.rsocket.metadata.BasicAuthenticationDecoder	Basic Authentication did not evolve into a standard. Use Simple Authentication instead.
org.springframework.security.rsocket.metadata.BasicAuthenticationEncoder	Basic Authentication did not evolve into a standard. use SimpleAuthenticationEncoder
org.springframework.security.saml2.provider.service.metadata.RequestMatcherMetadataResponseResolver	Please use RequestMatcherMetadataResponseResolver
org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator	Use AuthorizationManagerWebInvocationPrivilegeEvaluator instead
org.springframework.security.web.access.expression.WebExpressionVoter	Use WebExpressionAuthorizationManager instead
org.springframework.security.web.access.intercept.FilterSecurityInterceptor	Use AuthorizationFilter instead
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver	Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.web.context.HttpRequestResponseHolder	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest)
org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest) instead.
org.springframework.security.web.context.SecurityContextPersistenceFilter	Use SecurityContextHolderFilter
org.springframework.security.web.csrf.LazyCsrfTokenRepository	Use CsrfTokenRepository.loadDeferredToken(HttpServletRequest, HttpServletResponse) which returns a DeferredCsrfToken
org.springframework.security.web.header.writers.frameoptions.AbstractRequestParameterAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.HpkpHeaderWriter	see Certificate and Public Key Pinning for more context
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter	use ServerFormLoginAuthenticationConverter instead.
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter	Use ServerHttpBasicAuthenticationConverter instead.

Deprecated Annotation Interfaces

Annotation Interface	Description
org.springframework.security.access.method.P	use @{code org.springframework.security.core.parameters.P}
org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity	Use EnableMethodSecurity instead
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity	Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.
org.springframework.security.web.bind.annotation.AuthenticationPrincipal	Use AuthenticationPrincipal instead.

Deprecated Fields

Field	Description
org.springframework.security.messaging.util.matcher.AbstractMessageMatcherComposite.LOGGER	since 5.4 in favor of AbstractMessageMatcherComposite.logger
org.springframework.security.oauth2.core.AuthorizationGrantType.PASSWORD	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.rsocket.metadata.BearerTokenMetadata.BEARER_AUTHENTICATION_MIME_TYPE	Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
org.springframework.security.rsocket.metadata.UsernamePasswordMetadata.BASIC_AUTHENTICATION_MIME_TYPE	Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())

Deprecated Methods

Method	Description
org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl.setHierarchy(String)	Use RoleHierarchyImpl.fromHierarchy(java.lang.String) instead
org.springframework.security.authentication.DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Properties)	use DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Map)
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.apply(C)	For removal in 7.0. Use AbstractConfiguredSecurityBuilder.with(SecurityConfigurerAdapter, Customizer) instead.
org.springframework.security.config.annotation.rsocket.RSocketSecurity.basicAuthentication(Customizer<RSocketSecurity.BasicAuthenticationSpec>)	Use RSocketSecurity.simpleAuthentication(Customizer)
org.springframework.security.config.annotation.SecurityConfigurerAdapter.and()	For removal in 7.0. Use the lambda based configuration instead.
org.springframework.security.config.annotation.web.builders.HttpSecurity.anonymous()	For removal in 7.0. Use HttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeHttpRequests()	For removal in 7.0. Use HttpSecurity.authorizeHttpRequests(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeRequests()	For removal in 7.0. Use HttpSecurity.authorizeHttpRequests() instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeRequests(Customizer<ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry>)	For removal in 7.0. Use HttpSecurity.authorizeHttpRequests() instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.cors()	For removal in 7.0. Use HttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.csrf()	For removal in 7.0. Use HttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.exceptionHandling()	For removal in 7.0. Use HttpSecurity.exceptionHandling(Customizer) or exceptionHandling(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.formLogin()	For removal in 7.0. Use HttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.headers()	For removal in 7.0. Use HttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.httpBasic()	For removal in 7.0. Use HttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.jee()	For removal in 7.0. Use HttpSecurity.jee(Customizer) or jee(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.logout()	For removal in 7.0. Use HttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2Client()	For removal in 7.0. Use HttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2Login()	For removal in 7.0. Use HttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2ResourceServer()	For removal in 7.0. Use HttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.portMapper()	For removal in 7.0. Use HttpSecurity.portMapper(Customizer) or portMapper(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.rememberMe()	For removal in 7.0. Use HttpSecurity.rememberMe(Customizer) or rememberMe(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.requestCache()	For removal in 7.0. Use HttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.RequestMatcherConfigurer.and()	Use the lambda based configuration instead. For example: @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(Customizer.withDefaults()); return http.build(); } }
org.springframework.security.config.annotation.web.builders.HttpSecurity.requiresChannel()	For removal in 7.0. Use HttpSecurity.requiresChannel(Customizer) or requiresChannel(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Login()	For removal in 7.0. Use HttpSecurity.saml2Login(Customizer) or saml2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Logout()	For removal in 7.0. Use HttpSecurity.saml2Logout(Customizer) or saml2Logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Metadata()	For removal in 7.0. Use HttpSecurity.saml2Metadata(Customizer) or saml2Metadata(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.securityContext()	For removal in 7.0. Use HttpSecurity.securityContext(Customizer) or securityContext(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.securityMatchers()	For removal in 7.0. Use HttpSecurity.securityMatchers(Customizer) or securityMatchers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.servletApi()	For removal in 7.0. Use HttpSecurity.servletApi(Customizer) or servletApi(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.sessionManagement()	For removal in 7.0. Use HttpSecurity.sessionManagement(Customizer) or sessionManagement(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.x509()	For removal in 7.0. Use HttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.and()	For removal in 7.0. Use the lambda based configuration instead.
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.shouldFilterAllDispatcherTypes(boolean)	Permit access to the DispatcherType instead. @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.ChannelRequestMatcherRegistry.and()	For removal in 7.0. Use HttpSecurity.requiresChannel(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.cacheControl()	For removal in 7.0. Use HeadersConfigurer.cacheControl(Customizer) or cacheControl(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CacheControlConfig.and()	For removal in 7.0. Use HeadersConfigurer.cacheControl(Customizer) or cacheControl(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.contentSecurityPolicy(String)	For removal in 7.0. Use HeadersConfigurer.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ContentSecurityPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.contentTypeOptions()	For removal in 7.0. Use HeadersConfigurer.contentTypeOptions(Customizer) or contentTypeOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ContentTypeOptionsConfig.and()	For removal in 7.0. Use HeadersConfigurer.contentTypeOptions(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginEmbedderPolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginEmbedderPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginOpenerPolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginOpenerPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginResourcePolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginResourcePolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.featurePolicy(String)	For removal in 7.0. Use HeadersConfigurer.permissionsPolicy(Customizer) or permissionsPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.frameOptions()	For removal in 7.0. Use HeadersConfigurer.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.FrameOptionsConfig.and()	For removal in 7.0. Use HeadersConfigurer.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HstsConfig.and()	For removal in 7.0. Use HeadersConfigurer.httpStrictTransportSecurity(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.httpPublicKeyPinning()	see Certificate and Public Key Pinning for more context
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.httpPublicKeyPinning(Customizer<HeadersConfigurer.HpkpConfig>)	see Certificate and Public Key Pinning for more context
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.httpStrictTransportSecurity()	For removal in 7.0. Use HeadersConfigurer.httpStrictTransportSecurity(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy()	For removal in 7.0. Use HeadersConfigurer.permissionsPolicy(Customizer) or permissionsPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.PermissionsPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.permissionsPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.referrerPolicy()	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy)	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ReferrerPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.xssProtection()	For removal in 7.0. Use HeadersConfigurer.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig.and()	For removal in 7.0. Use HeadersConfigurer.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer.authorizationCodeGrant()	For removal in 7.0. Use OAuth2ClientConfigurer.authorizationCodeGrant(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer.AuthorizationCodeGrantConfigurer.and()	For removal in 7.0. Use OAuth2ClientConfigurer.authorizationCodeGrant(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.authorizationEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.authorizationEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.AuthorizationEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.authorizationEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.redirectionEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.redirectionEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.RedirectionEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.redirectionEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.tokenEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.tokenEndpoint(Customizer) or tokenEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.TokenEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.tokenEndpoint(Customizer) or tokenEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.userInfoEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.userInfoEndpoint(Customizer) or userInfoEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.UserInfoEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.userInfoEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OidcLogoutConfigurer.and()
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.jwt()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.JwtConfigurer.and()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.opaqueToken()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.opaqueToken(Customizer) or opaqueToken(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.logoutRequest()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutRequest(Customizer) or logoutRequest(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.LogoutRequestConfigurer.and()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutRequest(Customizer) or logoutRequest(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.logoutResponse()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutResponse(Customizer) or logoutResponse(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.LogoutResponseConfigurer.and()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutResponse(Customizer) or logoutResponse(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer.ConcurrencyControlConfigurer.and()	For removal in 7.0. Use SessionManagementConfigurer.sessionConcurrency(Customizer) instead
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer.setMessageExpessionHandler(List<SecurityExpressionHandler<Message<Object>>>)
org.springframework.security.config.web.server.ServerHttpSecurity.anonymous()	For removal in 7.0. Use ServerHttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.AnonymousSpec.and()	For removal in 7.0. Use ServerHttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.authorizeExchange()	For removal in 7.0. Use ServerHttpSecurity.authorizeExchange(Customizer) or authorizeExchange(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.AuthorizeExchangeSpec.and()	For removal in 7.0. Use ServerHttpSecurity.authorizeExchange(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.cors()	For removal in 7.0. Use ServerHttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.CorsSpec.and()	For removal in 7.0. Use ServerHttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.csrf()	For removal in 7.0. Use ServerHttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec.and()	For removal in 7.0. Use ServerHttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.exceptionHandling()	For removal in 7.0. Use ServerHttpSecurity.exceptionHandling(Customizer) or exceptionHandling(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.ExceptionHandlingSpec.and()	For removal in 7.0. Use ServerHttpSecurity.exceptionHandling(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.formLogin()	For removal in 7.0. Use ServerHttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.FormLoginSpec.and()	For removal in 7.0. Use ServerHttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.headers()	For removal in 7.0. Use ServerHttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.and()	For removal in 7.0. Use ServerHttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.cache()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.cache(Customizer) or cache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(String)	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.contentTypeOptions()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentTypeOptions(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.featurePolicy(String)	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()	For removal in 7.0. Use #featurePolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.frameOptions()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.hsts()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.hsts(Customizer) or hsts(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.HstsSpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.hsts(Customizer) or hsts(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.permissionsPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.referrerPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy)	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.xssProtection()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.httpBasic()	For removal in 7.0. Use ServerHttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HttpBasicSpec.and()	For removal in 7.0. Use ServerHttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HttpsRedirectSpec.and()	use ServerHttpSecurity.redirectToHttps(Customizer)
org.springframework.security.config.web.server.ServerHttpSecurity.logout()	For removal in 7.0. Use ServerHttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.LogoutSpec.and()	For removal in 7.0. Use ServerHttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2Client()	For removal in 7.0. Use ServerHttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ClientSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2Login()	For removal in 7.0. Use ServerHttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2LoginSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2ResourceServer()	For removal in 7.0. Use ServerHttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.jwt()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.JwtSpec.and()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer) or opaqueToken(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.OpaqueTokenSpec.and()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OidcLogoutSpec.and()
org.springframework.security.config.web.server.ServerHttpSecurity.passwordManagement()	For removal in 7.0. Use ServerHttpSecurity.passwordManagement(Customizer) or passwordManagement(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.PasswordManagementSpec.and()	For removal in 7.0. Use ServerHttpSecurity.passwordManagement(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.redirectToHttps()	For removal in 7.0. Use ServerHttpSecurity.redirectToHttps(Customizer) or redirectToHttps(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.requestCache()	For removal in 7.0. Use ServerHttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.RequestCacheSpec.and()	For removal in 7.0. Use ServerHttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.x509()	For removal in 7.0. Use ServerHttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.X509Spec.and()	For removal in 7.0. Use ServerHttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder()	Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.
org.springframework.security.crypto.argon2.Argon2PasswordEncoder.defaultsForSpringSecurity_v5_2()	Use Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8() instead
org.springframework.security.crypto.password.Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_5()	Use Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8() instead
org.springframework.security.crypto.scrypt.SCryptPasswordEncoder.defaultsForSpringSecurity_v4_1()	Use SCryptPasswordEncoder.defaultsForSpringSecurity_v5_8() instead
org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder.password()	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder.password(Consumer<OAuth2AuthorizedClientProviderBuilder.PasswordGrantBuilder>)	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService.setAccessibleScopes(Set<String>)	Use OidcUserService.setRetrieveUserInfo(Predicate) instead
org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProviderBuilder.password()	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProviderBuilder.password(Consumer<ReactiveOAuth2AuthorizedClientProviderBuilder.PasswordGrantBuilder>)	The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
org.springframework.security.saml2.provider.service.authentication.OpenSaml4AuthenticationProvider.createDefaultAssertionValidator(Converter<OpenSaml4AuthenticationProvider.AssertionToken, ValidationContext>)	Use OpenSaml4AuthenticationProvider.createDefaultAssertionValidatorWithParameters(java.util.function.Consumer<java.util.Map<java.lang.String, java.lang.Object>>) instead
org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration.withRelyingPartyRegistration(RelyingPartyRegistration)	Use RelyingPartyRegistration.mutate() instead
org.springframework.security.web.access.intercept.AuthorizationFilter.setShouldFilterAllDispatcherTypes(boolean)	Permit access to the DispatcherType instead. @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
org.springframework.security.web.context.SecurityContextRepository.loadContext(HttpRequestResponseHolder)	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest) instead.
org.springframework.security.web.csrf.CookieCsrfTokenRepository.setCookieDomain(String)	Use CookieCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.csrf.CookieCsrfTokenRepository.setCookieHttpOnly(boolean)	Use CookieCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.csrf.CookieCsrfTokenRepository.setCookieMaxAge(int)	Use CookieCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.csrf.CookieCsrfTokenRepository.setSecure(Boolean)	Use CookieCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.firewall.StrictHttpFirewall.getEncodedUrlBlacklist()	Use StrictHttpFirewall.getEncodedUrlBlocklist() instead
org.springframework.security.web.savedrequest.SavedCookie.getComment()
org.springframework.security.web.savedrequest.SavedCookie.getVersion()
org.springframework.security.web.server.authentication.AuthenticationWebFilter.setAuthenticationConverter(Function<ServerWebExchange, Mono<Authentication>>)	As of 5.1 in favor of AuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository.setCookieDomain(String)	Use CookieServerCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository.setCookieHttpOnly(boolean)	Use CookieServerCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository.setCookieMaxAge(int)	Use CookieServerCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository.setSecure(boolean)	Use CookieServerCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation)	Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.util.matcher.AntPathRequestMatcher.extractUriTemplateVariables(HttpServletRequest)

Deprecated Constructors

Constructor	Description
org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl()	Use RoleHierarchyImpl.fromHierarchy(java.lang.String) instead
org.springframework.security.crypto.password.Pbkdf2PasswordEncoder(CharSequence, int, int, int)	Use Pbkdf2PasswordEncoder(CharSequence, int, int, SecretKeyFactoryAlgorithm) instead
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver(String...)	use JwtIssuerAuthenticationManagerResolver.fromTrustedIssuers(String...)
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver(Collection<String>)	use JwtIssuerAuthenticationManagerResolver.fromTrustedIssuers(Collection)
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerReactiveAuthenticationManagerResolver(String...)	use JwtIssuerReactiveAuthenticationManagerResolver.fromTrustedIssuers(String...)
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerReactiveAuthenticationManagerResolver(Collection<String>)	use JwtIssuerReactiveAuthenticationManagerResolver.fromTrustedIssuers(Collection)
org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest.Builder()	Use Builder(RelyingPartyRegistration) instead
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter(AllowFromStrategy)	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.savedrequest.SavedCookie(String, String, String, String, int, String, boolean, int)	use SavedCookie(String, String, String, int, String, boolean) instead
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.

Deprecated Enum Constants

Enum Constant	Description
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode.ALLOW_FROM	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.