Deprecated API
Contents
-
Terminally Deprecated ElementsElementDescriptionFor removal in 7.0. Use
HeadersConfigurer.permissionsPolicyHeader(Customizer)insteadorg.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()For removal in 7.0. Use#featurePolicy(Customizer)insteadUseOidcUserService.setRetrieveUserInfo(Predicate)insteadPlease useSpringOpaqueTokenIntrospector.BuilderPermit access to theDispatcherTypeinstead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }This existed for an old IE bug and is no longer need.This existed for an old IE bug and is no longer need.This is deprecated for removal. Users can compareDefaultSavedRequest.getRedirectUrl()to theHttpServletRequestURL instead.LobHandleris deprecated without replacement, as such this method will also be removed without replacement
-
Deprecated InterfacesInterfaceDescriptionUse
AuthorizationManagerinsteadUseAuthorizationManagerinsteadUse delegation withAuthorizationManagerUsed only by now-deprecated classes. ConsiderSecuredAuthorizationManagerfor `@Secured` methods.In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.Use delegation withAuthorizationManagerThis class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Use theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUse delegation withAuthorizationManagerIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseMessageMatcherDelegatingAuthorizationManagerinsteadPlease useSaml2AssertionAuthentication.getRelyingPartyRegistrationId()andSaml2ResponseAssertionAccessorinsteadno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingplease useHttpsRedirectFilterand its associatedPortMapperno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.This existed for an old IE bug and is no longer need.
-
Deprecated ClassesClassDescriptionUse
Jsr250AuthorizationManagerinsteadUseJsr250AuthorizationManagerinsteadAuthorization events have moved. ConsiderAuthorizationGrantedEventandAuthorizationDeniedEventAuthentication is now separated from authorization. ConsiderAbstractAuthenticationFailureEventinstead.UseAuthorizationDeniedEventinsteadUseAuthorizationGrantedEventinsteadLogging is now embedded in Spring Security components. If you need further logging, please consider using your ownApplicationListenerOnly used by now-deprecated classes. ConsiderEventObject.getSource()to deduce public invocations.UseAuthorizationManagerinterceptors insteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationFilterinstead for filter security,AuthorizationChannelInterceptorfor messaging security, orAuthorizationManagerBeforeMethodInterceptorandAuthorizationManagerAfterMethodInterceptorfor method security.Use delegation withAuthorizationManagerPlease useAuthorizationManagerBeforeMethodInterceptorandAuthorizationManagerAfterMethodInterceptorinsteadUseEnableMethodSecurityor publish interceptors directlyThis class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.This class will be removed from the public API. See `JoinPointMethodInvocation` in `spring-security-aspects` for its replacementUse delegation withAuthorizationManagerUseAuthorizationManagerinsteadAuthentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Use theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUsePreAuthorizeAuthorizationManagerandPostAuthorizeAuthorizationManagerinsteadIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseAuthorizationManagerinsteadNow used by only-deprecated classes. Generally speaking, in-memory ACL is no longer advised, so no replacement is planned at this point.UseAuthorizationManagerinsteadUseAuthorityAuthorizationManagerinsteadUseAuthorizationManagerinsteadUseAuthorityAuthorizationManagerinsteadUseAuthorizationManagerinsteadplease useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PreAuthorize("hasPermission(#id, ObjectsReturnType.class, read)")please useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PostAuthorize("hasPermission(filterObject, read)")org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationCollectionFilteringProviderplease useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PostFilter("hasPermission(filterObject, read)")please useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PostAuthorize("hasPermission(filterObject, read)")UsePrePostMethodSecurityConfiguration,SecuredMethodSecurityConfiguration, orJsr250MethodSecurityConfigurationinsteadIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.please useHttpsRedirectConfigurerinsteadno replacement plannedno replacement plannedsee Certificate and Public Key Pinning for more contextorg.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfigurationThis is applied internally using SpringWebMvcImportSelectorIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.Use `use-authorization-manager` property insteadUseMethodSecurityBeanDefinitionParserinsteadUse<intercept-methods>,<method-security>, or@EnableMethodSecurityDigest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.UseMessageMatcherDelegatingAuthorizationManagerinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadUseAuthorizationChannelInterceptorinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadplease useAuthenticationPayloadExchangeConverterinsteadplease useAuthenticationPayloadExchangeConverterinsteadBasic Authentication did not evolve into a standard. Use Simple Authentication instead.Basic Authentication did not evolve into a standard. useSimpleAuthenticationEncoderPlease useSaml2ResponseAssertionAccessorPlease useRequestMatcherMetadataResponseResolverplease useHttpsRedirectFilterand its associatedPortMapperno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingplease useHttpsRedirectFilterand its associatedPortMapperplease useHttpsRedirectFilterand its associatedPortMapperno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseWebExpressionAuthorizationManagerinsteadIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseAuthorizationFilterinsteadplease useAuthorizationManagerWebInvocationPrivilegeEvaluatorand adapt any delegateWebInvocationPrivilegeEvaluators intoAuthorizationManagersPlease useSubjectX500PrincipalExtractorinsteadUseAuthenticationPrincipalArgumentResolverinstead.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.see Certificate and Public Key Pinning for more contextThis existed for an old IE bug and is no longer need.useServerFormLoginAuthenticationConverterinstead.UseServerHttpBasicAuthenticationConverterinstead.
-
Deprecated Annotation InterfacesAnnotation InterfaceDescriptionuse @{code org.springframework.security.core.parameters.P}Use
EnableMethodSecurityinsteadUseAuthenticationPrincipalinstead.
-
Deprecated FieldsFieldDescriptionsince 5.4 in favor of
AbstractMessageMatcherComposite.loggerThe SHA-1 algorithm has been proven to be vulnerable to collision attacks and should not be used. See the Google Security Blog for more info.Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
-
Deprecated MethodsMethodDescriptionplease see
RoleHierarchyImpl#setHierarchydeprecation noticeplease provide all advisors in the constructorPermit access to theDispatcherTypeinstead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }For removal in 7.0. UseHeadersConfigurer.permissionsPolicy(Customizer)orpermissionsPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.see Certificate and Public Key Pinning for more contextFor removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)insteadUse this.context insteadPlease use {X509Configurer.x509PrincipalExtractor(X509PrincipalExtractor)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)instead.org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()For removal in 7.0. Use#featurePolicy(Customizer)insteadUsing this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.UseOidcUserService.setRetrieveUserInfo(Predicate)insteadPlease provide anAuthenticationConverterin the constructor and set theAuthenticationDetailsSourcethere instead. For example, you can useBearerTokenAuthenticationConverter.setAuthenticationDetailsSource(org.springframework.security.authentication.AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest, ?>)Please provide anAuthenticationConverterin the constructor insteadPermit access to theDispatcherTypeinstead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }UseStrictHttpFirewall.getEncodedUrlBlocklist()insteadThis is deprecated for removal. Users can compareDefaultSavedRequest.getRedirectUrl()to theHttpServletRequestURL instead.As of 5.1 in favor ofAuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)LobHandleris deprecated without replacement, as such this method will also be removed without replacement
-
Deprecated ConstructorsConstructorDescriptionPlease use
SpringOpaqueTokenIntrospector.BuilderUseBuilder(RelyingPartyRegistration)insteadALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
-
Deprecated Enum ConstantsEnum ConstantDescriptionplease see
PayloadInterceptorOrder.AUTHENTICATIONplease seePayloadInterceptorOrder.AUTHENTICATIONALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
DispatcherTypeinstead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }