Deprecated API
Contents
-
ElementDescriptionFor removal in 7.0. Use the lambda based configuration instead.For removal in 7.0. Use
HttpSecurity.anonymous(Customizer)
oranonymous(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.authorizeHttpRequests(Customizer)
insteadFor removal in 7.0. UseHttpSecurity.cors(Customizer)
orcors(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.csrf(Customizer)
orcsrf(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.exceptionHandling(Customizer)
orexceptionHandling(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.formLogin(Customizer)
orformLogin(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.headers(Customizer)
orheaders(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.httpBasic(Customizer)
orhttpBasic(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.jee(Customizer)
orjee(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.logout(Customizer)
orlogout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2Client(Customizer)
oroauth2Client(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2Login(Customizer)
oroauth2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2ResourceServer(Customizer)
insteadFor removal in 7.0. UseHttpSecurity.portMapper(Customizer)
orportMapper(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.rememberMe(Customizer)
orrememberMe(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.requestCache(Customizer)
orrequestCache(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Use the lambda based configuration instead. For example:@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(Customizer.withDefaults()); return http.build(); } }
For removal in 7.0. UseHttpSecurity.requiresChannel(Customizer)
orrequiresChannel(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Login(Customizer)
orsaml2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Logout(Customizer)
orsaml2Logout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Metadata(Customizer)
orsaml2Metadata(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.securityContext(Customizer)
orsecurityContext(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.securityMatchers(Customizer)
orsecurityMatchers(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.servletApi(Customizer)
orservletApi(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.sessionManagement(Customizer)
orsessionManagement(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.x509(Customizer)
orx509(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. Use the lambda based configuration instead.Permit access to theDispatcherType
instead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
For removal in 7.0. UseHttpSecurity.requiresChannel(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.cacheControl(Customizer)
orcacheControl(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.cacheControl(Customizer)
orcacheControl(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.contentSecurityPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.contentSecurityPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.contentTypeOptions(Customizer)
orcontentTypeOptions(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.contentTypeOptions(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginEmbedderPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginEmbedderPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginOpenerPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginOpenerPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginResourcePolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginResourcePolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.frameOptions(Customizer)
orframeOptions(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.frameOptions(Customizer)
orframeOptions(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.httpStrictTransportSecurity(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.httpStrictTransportSecurity(Customizer)
insteadorg.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy()For removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)
orpermissionsPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.permissionsPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)
orreferrerPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)
orreferrerPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)
orreferrerPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.xssProtection(Customizer)
orxssProtection(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.xssProtection(Customizer)
orxssProtection(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ClientConfigurer.authorizationCodeGrant(Customizer)
insteadFor removal in 7.0. UseOAuth2ClientConfigurer.authorizationCodeGrant(Customizer)
insteadFor removal in 7.0. UseOAuth2LoginConfigurer.authorizationEndpoint(Customizer)
insteadFor removal in 7.0. UseOAuth2LoginConfigurer.authorizationEndpoint(Customizer)
insteadFor removal in 7.0. UseOAuth2LoginConfigurer.redirectionEndpoint(Customizer)
insteadFor removal in 7.0. UseOAuth2LoginConfigurer.redirectionEndpoint(Customizer)
insteadFor removal in 7.0. UseOAuth2LoginConfigurer.tokenEndpoint(Customizer)
ortokenEndpoint(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.tokenEndpoint(Customizer)
ortokenEndpoint(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.userInfoEndpoint(Customizer)
oruserInfoEndpoint(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.userInfoEndpoint(Customizer)
insteadFor removal in 7.0. UseOAuth2ResourceServerConfigurer.jwt(Customizer)
orjwt(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ResourceServerConfigurer.jwt(Customizer)
orjwt(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ResourceServerConfigurer.opaqueToken(Customizer)
oropaqueToken(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutRequest(Customizer)
orlogoutRequest(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutRequest(Customizer)
orlogoutRequest(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutResponse(Customizer)
orlogoutResponse(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutResponse(Customizer)
orlogoutResponse(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseSessionManagementConfigurer.sessionConcurrency(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.anonymous(Customizer)
oranonymous(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.anonymous(Customizer)
oranonymous(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.authorizeExchange(Customizer)
orauthorizeExchange(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.authorizeExchange(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.cors(Customizer)
orcors(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.cors(Customizer)
orcors(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.csrf(Customizer)
orcsrf(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.csrf(Customizer)
orcsrf(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.exceptionHandling(Customizer)
orexceptionHandling(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.exceptionHandling(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.formLogin(Customizer)
orformLogin(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.formLogin(Customizer)
orformLogin(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.headers(Customizer)
orheaders(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.headers(Customizer)
orheaders(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.cache(Customizer)
orcache(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentTypeOptions(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer)
insteadorg.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()For removal in 7.0. Use#featurePolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.frameOptions(Customizer)
orframeOptions(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.hsts(Customizer)
orhsts(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.hsts(Customizer)
orhsts(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.xssProtection(Customizer)
orxssProtection(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.httpBasic(Customizer)
orhttpBasic(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.httpBasic(Customizer)
orhttpBasic(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.logout(Customizer)
orlogout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.logout(Customizer)
orlogout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Client(Customizer)
oroauth2Client(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Client(Customizer)
oroauth2Client(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Login(Customizer)
oroauth2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Login(Customizer)
oroauth2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2ResourceServer(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.oauth2ResourceServer(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer)
orjwt(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer)
orjwt(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer)
oropaqueToken(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.passwordManagement(Customizer)
orpasswordManagement(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.passwordManagement(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.redirectToHttps(Customizer)
orredirectToHttps(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.requestCache(Customizer)
orrequestCache(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.requestCache(Customizer)
orrequestCache(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.x509(Customizer)
orx509(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.x509(Customizer)
orx509(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseUnboundIdContainer
instead because ApacheDS 1.x is no longer supported with no GA version to replace it.UseOidcUserService.setRetrieveUserInfo(Predicate)
insteadUseRelyingPartyRegistration.mutate()
insteadPermit access to theDispatcherType
instead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
-
InterfaceDescriptionUse
AuthorizationManager
insteadUseAuthorizationManager
insteadUse delegation withAuthorizationManager
Used only by now-deprecated classes. ConsiderSecuredAuthorizationManager
for `@Secured` methods.Use delegation withAuthorizationManager
This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Use theuse-authorization-manager
attribute for<method-security>
and<intercept-methods>
instead or use annotation-based orAuthorizationManager
-based authorizationUseAuthorizationManagerAfterMethodInterceptor
insteadUseAuthorizationManagerAfterMethodInterceptor
insteadUseAuthorizationManagerBeforeMethodInterceptor
insteadUseAuthorizationManagerBeforeMethodInterceptor
insteadUse delegation withAuthorizationManager
Please use org.springframework.security.cas.authentication.ServiceAuthenticationDetailsUseMessageMatcherDelegatingAuthorizationManager
insteadALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
-
ClassDescriptionUse
Jsr250AuthorizationManager
insteadUseJsr250AuthorizationManager
insteadAuthorization events have moved. ConsiderAuthorizationGrantedEvent
andAuthorizationDeniedEvent
Authentication is now separated from authorization. ConsiderAbstractAuthenticationFailureEvent
instead.UseAuthorizationDeniedEvent
insteadUseAuthorizationGrantedEvent
insteadLogging is now embedded in Spring Security components. If you need further logging, please consider using your ownApplicationListener
Only used by now-deprecated classes. ConsiderEventObject.getSource()
to deduce public invocations.UseAuthorizationManager
interceptors insteadUseAuthorizationManagerAfterMethodInterceptor
insteadUseAuthorizationManagerAfterMethodInterceptor
insteadUseAuthorizationFilter
instead for filter security,AuthorizationChannelInterceptor
for messaging security, orAuthorizationManagerBeforeMethodInterceptor
andAuthorizationManagerAfterMethodInterceptor
for method security.Use delegation withAuthorizationManager
Please useAuthorizationManagerBeforeMethodInterceptor
andAuthorizationManagerAfterMethodInterceptor
insteadUseEnableMethodSecurity
or publish interceptors directlyThis class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.This class will be removed from the public API. See `JoinPointMethodInvocation` in `spring-security-aspects` for its replacementUse delegation withAuthorizationManager
UseAuthorizationManager
insteadAuthentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Use theuse-authorization-manager
attribute for<method-security>
and<intercept-methods>
instead or use annotation-based orAuthorizationManager
-based authorizationUse theuse-authorization-manager
attribute for<method-security>
and<intercept-methods>
instead or use annotation-based orAuthorizationManager
-based authorizationUse theuse-authorization-manager
attribute for<method-security>
and<intercept-methods>
instead or use annotation-based orAuthorizationManager
-based authorizationUse theuse-authorization-manager
attribute for<method-security>
and<intercept-methods>
instead or use annotation-based orAuthorizationManager
-based authorizationUseAuthorizationManagerAfterMethodInterceptor
insteadUseAuthorizationManagerBeforeMethodInterceptor
insteadUsePreAuthorizeAuthorizationManager
andPostAuthorizeAuthorizationManager
insteadUseAuthorizationManager
insteadNow used by only-deprecated classes. Generally speaking, in-memory ACL is no longer advised, so no replacement is planned at this point.UseAuthorizationManager
insteadUseAuthorityAuthorizationManager
insteadUseAuthorizationManager
insteadUseAuthorityAuthorizationManager
insteadUseAuthorizationManager
insteadUseExpressionAuthorizationDecision
insteadPlease useAnnotationTemplateExpressionDefaults
insteadUsePrePostMethodSecurityConfiguration
,SecuredMethodSecurityConfiguration
, orJsr250MethodSecurityConfiguration
insteadUseAuthorizeHttpRequestsConfigurer
insteadUseAuthorizeHttpRequestsConfigurer
insteadsee Certificate and Public Key Pinning for more contextUseAuthorizeHttpRequestsConfigurer
insteadUseMessageMatcherDelegatingAuthorizationManager
insteadorg.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfigurationThis is applied internally using SpringWebMvcImportSelectorUseEnableWebSocketSecurity
insteadUse `use-authorization-manager` property insteadUseMethodSecurityBeanDefinitionParser
insteadUse<intercept-methods>
,<method-security>
, or@EnableMethodSecurity
Use java.util.Base64Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoder
which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoder
which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoder
which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoder
which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoder
which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.For removal in 7.0. UseUnboundIdContainer
instead because ApacheDS 1.x is no longer supported with no GA version to replace it.UseMessageMatcherDelegatingAuthorizationManager
insteadUseMessageMatcherDelegatingAuthorizationManager
insteadUseAuthorizationChannelInterceptor
insteadUseMessageMatcherDelegatingAuthorizationManager
insteadThe latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.Please useBearerTokenAuthenticationToken
UseBearerTokenAuthenticationFilter
insteadBasic Authentication did not evolve into a standard. Use Simple Authentication instead.Basic Authentication did not evolve into a standard. useSimpleAuthenticationEncoder
Please useRequestMatcherMetadataResponseResolver
This class no longer is needed in order to transmit theEntityDescriptor
toOpenSamlAssertingPartyDetails
. Instead of doing:if (registration instanceof OpenSamlRelyingPartyRegistration openSamlRegistration) { EntityDescriptor descriptor = openSamlRegistration.getAssertingPartyDetails.getEntityDescriptor(); }
do instead:if (registration.getAssertingPartyMetadata() instanceof openSamlAssertingPartyDetails) { EntityDescriptor descriptor = openSamlAssertingPartyDetails.getEntityDescriptor(); }
UseWebExpressionAuthorizationManager
insteadUseAuthorizationFilter
insteadUseAuthenticationPrincipalArgumentResolver
instead.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.see Certificate and Public Key Pinning for more contextuseServerFormLoginAuthenticationConverter
instead.UseServerHttpBasicAuthenticationConverter
instead.
-
Annotation InterfaceDescriptionuse @{code org.springframework.security.core.parameters.P}Use
EnableMethodSecurity
insteadUse EnableWebSecurity instead which will automatically add the Spring MVC related Security items.UseAuthenticationPrincipal
instead.
-
FieldDescriptionsince 5.4 in favor of
AbstractMessageMatcherComposite.logger
The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
-
MethodDescriptionPlease use
AnnotationTemplateExpressionDefaults
insteadFor removal in 7.0. UseAbstractConfiguredSecurityBuilder.with(SecurityConfigurerAdapter, Customizer)
instead.For removal in 7.0. Use the lambda based configuration instead.For removal in 7.0. UseHttpSecurity.anonymous(Customizer)
oranonymous(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.authorizeHttpRequests(Customizer)
insteadFor removal in 7.0. UseHttpSecurity.authorizeHttpRequests()
insteadFor removal in 7.0. UseHttpSecurity.authorizeHttpRequests()
insteadFor removal in 7.0. UseHttpSecurity.cors(Customizer)
orcors(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.csrf(Customizer)
orcsrf(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.exceptionHandling(Customizer)
orexceptionHandling(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.formLogin(Customizer)
orformLogin(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.headers(Customizer)
orheaders(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.httpBasic(Customizer)
orhttpBasic(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.jee(Customizer)
orjee(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.logout(Customizer)
orlogout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2Client(Customizer)
oroauth2Client(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2Login(Customizer)
oroauth2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2ResourceServer(Customizer)
insteadFor removal in 7.0. UseHttpSecurity.portMapper(Customizer)
orportMapper(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.rememberMe(Customizer)
orrememberMe(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.requestCache(Customizer)
orrequestCache(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Use the lambda based configuration instead. For example:@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(Customizer.withDefaults()); return http.build(); } }
For removal in 7.0. UseHttpSecurity.requiresChannel(Customizer)
orrequiresChannel(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Login(Customizer)
orsaml2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Logout(Customizer)
orsaml2Logout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Metadata(Customizer)
orsaml2Metadata(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.securityContext(Customizer)
orsecurityContext(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.securityMatchers(Customizer)
orsecurityMatchers(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.servletApi(Customizer)
orservletApi(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.sessionManagement(Customizer)
orsessionManagement(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.x509(Customizer)
orx509(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. Use the lambda based configuration instead.Permit access to theDispatcherType
instead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
For removal in 7.0. UseHttpSecurity.requiresChannel(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.cacheControl(Customizer)
orcacheControl(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.cacheControl(Customizer)
orcacheControl(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.contentSecurityPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.contentSecurityPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.contentTypeOptions(Customizer)
orcontentTypeOptions(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.contentTypeOptions(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginEmbedderPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginEmbedderPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginOpenerPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginOpenerPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginResourcePolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginResourcePolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.permissionsPolicy(Customizer)
orpermissionsPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.frameOptions(Customizer)
orframeOptions(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.frameOptions(Customizer)
orframeOptions(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.httpStrictTransportSecurity(Customizer)
insteadsee Certificate and Public Key Pinning for more contextsee Certificate and Public Key Pinning for more contextFor removal in 7.0. UseHeadersConfigurer.httpStrictTransportSecurity(Customizer)
insteadorg.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy()For removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)
orpermissionsPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.permissionsPolicy(Customizer)
insteadFor removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)
orreferrerPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)
orreferrerPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)
orreferrerPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.xssProtection(Customizer)
orxssProtection(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.xssProtection(Customizer)
orxssProtection(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ClientConfigurer.authorizationCodeGrant(Customizer)
insteadFor removal in 7.0. UseOAuth2ClientConfigurer.authorizationCodeGrant(Customizer)
insteadFor removal in 7.0. UseOAuth2LoginConfigurer.authorizationEndpoint(Customizer)
insteadFor removal in 7.0. UseOAuth2LoginConfigurer.authorizationEndpoint(Customizer)
insteadFor removal in 7.0. UseOAuth2LoginConfigurer.redirectionEndpoint(Customizer)
insteadFor removal in 7.0. UseOAuth2LoginConfigurer.redirectionEndpoint(Customizer)
insteadFor removal in 7.0. UseOAuth2LoginConfigurer.tokenEndpoint(Customizer)
ortokenEndpoint(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.tokenEndpoint(Customizer)
ortokenEndpoint(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.userInfoEndpoint(Customizer)
oruserInfoEndpoint(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.userInfoEndpoint(Customizer)
insteadFor removal in 7.0. UseOAuth2ResourceServerConfigurer.jwt(Customizer)
orjwt(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ResourceServerConfigurer.jwt(Customizer)
orjwt(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ResourceServerConfigurer.opaqueToken(Customizer)
oropaqueToken(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutRequest(Customizer)
orlogoutRequest(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutRequest(Customizer)
orlogoutRequest(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutResponse(Customizer)
orlogoutResponse(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutResponse(Customizer)
orlogoutResponse(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseSessionManagementConfigurer.sessionConcurrency(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.anonymous(Customizer)
oranonymous(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.anonymous(Customizer)
oranonymous(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.authorizeExchange(Customizer)
orauthorizeExchange(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.authorizeExchange(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.cors(Customizer)
orcors(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.cors(Customizer)
orcors(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.csrf(Customizer)
orcsrf(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.csrf(Customizer)
orcsrf(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.exceptionHandling(Customizer)
orexceptionHandling(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.exceptionHandling(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.formLogin(Customizer)
orformLogin(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.formLogin(Customizer)
orformLogin(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.headers(Customizer)
orheaders(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.headers(Customizer)
orheaders(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.cache(Customizer)
orcache(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentTypeOptions(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)
instead.org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()For removal in 7.0. Use#featurePolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.frameOptions(Customizer)
orframeOptions(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.hsts(Customizer)
orhsts(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.hsts(Customizer)
orhsts(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)
instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.xssProtection(Customizer)
orxssProtection(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.httpBasic(Customizer)
orhttpBasic(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.httpBasic(Customizer)
orhttpBasic(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.logout(Customizer)
orlogout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.logout(Customizer)
orlogout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Client(Customizer)
oroauth2Client(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Client(Customizer)
oroauth2Client(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Login(Customizer)
oroauth2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Login(Customizer)
oroauth2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2ResourceServer(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.oauth2ResourceServer(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer)
orjwt(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer)
orjwt(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer)
oropaqueToken(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.passwordManagement(Customizer)
orpasswordManagement(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.passwordManagement(Customizer)
insteadFor removal in 7.0. UseServerHttpSecurity.redirectToHttps(Customizer)
orredirectToHttps(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.requestCache(Customizer)
orrequestCache(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.requestCache(Customizer)
orrequestCache(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.x509(Customizer)
orx509(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.x509(Customizer)
orx509(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.UseLdapUsernameToDnMapper.buildLdapName(String)
insteadThe latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.UseOidcUserService.setRetrieveUserInfo(Predicate)
insteadThe latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The latest OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.UseRelyingPartyRegistration.mutate()
insteadPermit access to theDispatcherType
instead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
UseStrictHttpFirewall.getEncodedUrlBlocklist()
insteadAs of 5.1 in favor ofAuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
-
ConstructorDescriptionUse
Builder(RelyingPartyRegistration)
insteadALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
-
Enum ConstantDescriptionALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
AbstractConfiguredSecurityBuilder.with(SecurityConfigurerAdapter, Customizer)
instead.