Deprecated API
Contents
-
Terminally Deprecated ElementsElementDescriptionPlease use
OneTimeTokenAuthenticationinsteadPlease useOneTimeTokenAuthenticationinsteadPlease use constructor that takes aStringinsteadPlease use constructor that takes aStringinsteadas of 7.0 in favor ofCasJacksonModulebased on Jackson 3For removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)insteadorg.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()For removal in 7.0. Use#featurePolicy(Customizer)insteadPlease have each class use its own serialization versionas of 7.0 in favor ofCoreJacksonModulebased on Jackson 3as of 7.0 in favor ofSecurityJacksonModulesbased on Jackson 3as of 7.0 in favor oforg.springframework.security.jackson.SimpleGrantedAuthorityMixinbased on Jackson 3as of 7.0 in favor ofLdapJacksonModulebased on Jackson 3as of 7.0 in favor ofOAuth2ClientJacksonModulebased on Jackson 3as of 7.0 in favor oforg.springframework.security.oauth2.server.authorization.jackson.OAuth2AuthorizationServerJacksonModulebased on Jackson 3UseJdbcOAuth2AuthorizationService.JsonMapperOAuth2AuthorizationParametersMapperto migrate to Jackson 3.UseJdbcOAuth2AuthorizationService.JsonMapperOAuth2AuthorizationRowMapperto switch to Jackson 3.Please useSpringOpaqueTokenIntrospector.Builderas of 7.0 in favor ofSaml2JacksonModulebased on Jackson 3as of 7.0 in favor ofWebJacksonModulebased on Jackson 3as of 7.0 in favor ofWebServletJacksonModulebased on Jackson 3as of 7.0 in favor ofWebServerJacksonModulebased on Jackson 3as of 7.0 in favor ofWebauthnJacksonModulebased on Jackson 3LobHandleris deprecated without replacement, as such this method will also be removed without replacement
-
Deprecated InterfacesInterfaceDescriptionUse
AuthorizationManagerinsteadUseAuthorizationManagerinsteadUse delegation withAuthorizationManagerUsed only by now-deprecated classes. ConsiderSecuredAuthorizationManagerfor `@Secured` methods.In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.Use delegation withAuthorizationManagerThis class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Use theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUse delegation withAuthorizationManagerIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseMessageMatcherDelegatingAuthorizationManagerinsteadPlease useSaml2AssertionAuthentication.getRelyingPartyRegistrationId()andSaml2ResponseAssertionAccessorinsteadno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingplease useHttpsRedirectFilterand its associatedPortMapperno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
-
Deprecated ClassesClassDescriptionUse
Jsr250AuthorizationManagerinsteadUseJsr250AuthorizationManagerinsteadAuthorization events have moved. ConsiderAuthorizationGrantedEventandAuthorizationDeniedEventAuthentication is now separated from authorization. ConsiderAbstractAuthenticationFailureEventinstead.UseAuthorizationDeniedEventinsteadUseAuthorizationGrantedEventinsteadLogging is now embedded in Spring Security components. If you need further logging, please consider using your ownApplicationListenerOnly used by now-deprecated classes. ConsiderEventObject.getSource()to deduce public invocations.UseAuthorizationManagerinterceptors insteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationFilterinstead for filter security,AuthorizationChannelInterceptorfor messaging security, orAuthorizationManagerBeforeMethodInterceptorandAuthorizationManagerAfterMethodInterceptorfor method security.Use delegation withAuthorizationManagerPlease useAuthorizationManagerBeforeMethodInterceptorandAuthorizationManagerAfterMethodInterceptorinsteadUseEnableMethodSecurityor publish interceptors directlyThis class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.This class will be removed from the public API. See `JoinPointMethodInvocation` in `spring-security-aspects` for its replacementUse delegation withAuthorizationManagerUseAuthorizationManagerinsteadAuthentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Use theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUsePreAuthorizeAuthorizationManagerandPostAuthorizeAuthorizationManagerinsteadIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseAuthorizationManagerinsteadNow used by only-deprecated classes. Generally speaking, in-memory ACL is no longer advised, so no replacement is planned at this point.UseAuthorizationManagerinsteadUseAuthorityAuthorizationManagerinsteadUseAuthorizationManagerinsteadUseAuthorityAuthorizationManagerinsteadUseAuthorizationManagerinsteadplease useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PreAuthorize("hasPermission(#id, ObjectsReturnType.class, read)")please useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PostAuthorize("hasPermission(filterObject, read)")org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationCollectionFilteringProviderplease useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PostFilter("hasPermission(filterObject, read)")please useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PostAuthorize("hasPermission(filterObject, read)")as of 7.0 in favor ofCasJacksonModulebased on Jackson 3UsePrePostMethodSecurityConfiguration,SecuredMethodSecurityConfiguration, orJsr250MethodSecurityConfigurationinsteadIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.please useHttpsRedirectConfigurerinsteadno replacement plannedno replacement plannedsee Certificate and Public Key Pinning for more contextorg.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfigurationThis is applied internally using SpringWebMvcImportSelectorIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.Use `use-authorization-manager` property insteadUseMethodSecurityBeanDefinitionParserinsteadUse<intercept-methods>,<method-security>, or@EnableMethodSecurityDigest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.as of 7.0 in favor ofCoreJacksonModulebased on Jackson 3as of 7.0 in favor ofSecurityJacksonModulesbased on Jackson 3as of 7.0 in favor oforg.springframework.security.jackson.SimpleGrantedAuthorityMixinbased on Jackson 3as of 7.0 in favor ofLdapJacksonModulebased on Jackson 3UseMessageMatcherDelegatingAuthorizationManagerinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadUseAuthorizationChannelInterceptorinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadas of 7.0 in favor ofOAuth2ClientJacksonModulebased on Jackson 3as of 7.0 in favor oforg.springframework.security.oauth2.server.authorization.jackson.OAuth2AuthorizationServerJacksonModulebased on Jackson 3UseJdbcOAuth2AuthorizationService.JsonMapperOAuth2AuthorizationParametersMapperto migrate to Jackson 3.UseJdbcOAuth2AuthorizationService.JsonMapperOAuth2AuthorizationRowMapperto switch to Jackson 3.please useAuthenticationPayloadExchangeConverterinsteadplease useAuthenticationPayloadExchangeConverterinsteadBasic Authentication did not evolve into a standard. Use Simple Authentication instead.Basic Authentication did not evolve into a standard. useSimpleAuthenticationEncoderas of 7.0 in favor ofSaml2JacksonModulebased on Jackson 3Please useSaml2ResponseAssertionAccessorPlease useRequestMatcherMetadataResponseResolverplease useHttpsRedirectFilterand its associatedPortMapperno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingplease useHttpsRedirectFilterand its associatedPortMapperplease useHttpsRedirectFilterand its associatedPortMapperno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseWebExpressionAuthorizationManagerinsteadIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseAuthorizationFilterinsteadplease useAuthorizationManagerWebInvocationPrivilegeEvaluatorand adapt any delegateWebInvocationPrivilegeEvaluators intoAuthorizationManagersPlease useSubjectX500PrincipalExtractorinsteadUseAuthenticationPrincipalArgumentResolverinstead.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.see Certificate and Public Key Pinning for more contextas of 7.0 in favor ofWebJacksonModulebased on Jackson 3as of 7.0 in favor ofWebServletJacksonModulebased on Jackson 3as of 7.0 in favor ofWebServerJacksonModulebased on Jackson 3useServerFormLoginAuthenticationConverterinstead.UseServerHttpBasicAuthenticationConverterinstead.as of 7.0 in favor ofWebauthnJacksonModulebased on Jackson 3
-
Deprecated Annotation InterfacesAnnotation InterfaceDescriptionuse @{code org.springframework.security.core.parameters.P}Use
EnableMethodSecurityinsteadUseAuthenticationPrincipalinstead.
-
Deprecated FieldsFieldDescriptionPlease have each class use its own serialization versionsince 5.4 in favor of
AbstractMessageMatcherComposite.loggerThe SHA-1 algorithm has been proven to be vulnerable to collision attacks and should not be used. See the Google Security Blog for more info.Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
-
Deprecated MethodsMethodDescriptionplease see
RoleHierarchyImpl#setHierarchydeprecation noticePlease useOneTimeTokenAuthenticationinsteadPlease use constructor that takes aStringinsteadPlease use constructor that takes aStringinsteadplease provide all advisors in the constructorFor removal in 7.0. UseHeadersConfigurer.permissionsPolicy(Customizer)orpermissionsPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.see Certificate and Public Key Pinning for more contextFor removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)insteadUse this.context insteadPlease use {X509Configurer.x509PrincipalExtractor(X509PrincipalExtractor)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)instead.org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()For removal in 7.0. Use#featurePolicy(Customizer)insteadUsing this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.Please provide anAuthenticationConverterin the constructor and set theAuthenticationDetailsSourcethere instead. For example, you can useBearerTokenAuthenticationConverter.setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest, ?>)Please provide anAuthenticationConverterin the constructor insteadUseStrictHttpFirewall.getEncodedUrlBlocklist()insteadAs of 5.1 in favor ofAuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)LobHandleris deprecated without replacement, as such this method will also be removed without replacement
-
Deprecated ConstructorsConstructorDescriptionUse
SecurityExpressionRoot(Supplier, Object)insteadUseSecurityExpressionRoot(Supplier, Object)insteadPlease use constructor that takes aStringinsteadPlease useOneTimeTokenAuthenticationinsteadPlease useSpringOpaqueTokenIntrospector.BuilderUseBuilder(RelyingPartyRegistration)insteadALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
-
Deprecated Enum ConstantsEnum ConstantDescriptionplease see
PayloadInterceptorOrder.AUTHENTICATIONplease seePayloadInterceptorOrder.AUTHENTICATIONALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
Stringinstead