Deprecated API
Contents
-
Terminally Deprecated ElementsElementDescriptionFor removal in 7.0. Use the lambda based configuration instead.For removal in 7.0. Use
HttpSecurity.anonymous(Customizer)oranonymous(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.authorizeHttpRequests(Customizer)insteadFor removal in 7.0. UseHttpSecurity.authorizeHttpRequests(Customizer)insteadFor removal in 7.0. UseHttpSecurity.authorizeHttpRequests(Customizer)insteadFor removal in 7.0. UseHttpSecurity.cors(Customizer)orcors(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.csrf(Customizer)orcsrf(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.exceptionHandling(Customizer)orexceptionHandling(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.formLogin(Customizer)orformLogin(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.headers(Customizer)orheaders(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.httpBasic(Customizer)orhttpBasic(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.jee(Customizer)orjee(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.logout(Customizer)orlogout(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2Client(Customizer)oroauth2Client(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2Login(Customizer)oroauth2Login(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2ResourceServer(Customizer)insteadFor removal in 7.0. UseHttpSecurity.portMapper(Customizer)orportMapper(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.rememberMe(Customizer)orrememberMe(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.requestCache(Customizer)orrequestCache(Customizer.withDefaults())to stick with defaults. See the documentation for more details.Use the lambda based configuration instead. For example:@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(Customizer.withDefaults()); return http.build(); } }For removal in 7.0. UseHttpSecurity.requiresChannel(Customizer)orrequiresChannel(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Login(Customizer)orsaml2Login(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Logout(Customizer)orsaml2Logout(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Metadata(Customizer)orsaml2Metadata(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.securityContext(Customizer)orsecurityContext(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.securityMatchers(Customizer)orsecurityMatchers(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.servletApi(Customizer)orservletApi(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.sessionManagement(Customizer)orsessionManagement(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.x509(Customizer)orx509(Customizer.withDefaults())to stick with defaults. See the documentation for more details.org.springframework.security.config.annotation.web.builders.WebSecurity(ObjectPostProcessor<Object>) For removal in 7.0. Use the lambda based configuration instead.Permit access to theDispatcherTypeinstead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }For removal in 7.0. UseHttpSecurity.requiresChannel(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.cacheControl(Customizer)orcacheControl(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.cacheControl(Customizer)orcacheControl(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.contentSecurityPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.contentSecurityPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.contentTypeOptions(Customizer)orcontentTypeOptions(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.contentTypeOptions(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginEmbedderPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginEmbedderPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginOpenerPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginOpenerPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginResourcePolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginResourcePolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.frameOptions(Customizer)orframeOptions(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.frameOptions(Customizer)orframeOptions(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.httpStrictTransportSecurity(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.httpStrictTransportSecurity(Customizer)insteadorg.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy()For removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)orpermissionsPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.permissionsPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)orreferrerPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)orreferrerPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)orreferrerPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.xssProtection(Customizer)orxssProtection(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.xssProtection(Customizer)orxssProtection(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ClientConfigurer.authorizationCodeGrant(Customizer)insteadFor removal in 7.0. UseOAuth2ClientConfigurer.authorizationCodeGrant(Customizer)insteadFor removal in 7.0. UseOAuth2LoginConfigurer.authorizationEndpoint(Customizer)insteadFor removal in 7.0. UseOAuth2LoginConfigurer.authorizationEndpoint(Customizer)insteadFor removal in 7.0. UseOAuth2LoginConfigurer.redirectionEndpoint(Customizer)insteadFor removal in 7.0. UseOAuth2LoginConfigurer.redirectionEndpoint(Customizer)insteadFor removal in 7.0. UseOAuth2LoginConfigurer.tokenEndpoint(Customizer)ortokenEndpoint(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.tokenEndpoint(Customizer)ortokenEndpoint(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.userInfoEndpoint(Customizer)oruserInfoEndpoint(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.userInfoEndpoint(Customizer)insteadFor removal in 7.0. UseOAuth2ResourceServerConfigurer.jwt(Customizer)orjwt(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ResourceServerConfigurer.jwt(Customizer)orjwt(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ResourceServerConfigurer.opaqueToken(Customizer)oropaqueToken(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutRequest(Customizer)orlogoutRequest(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutRequest(Customizer)orlogoutRequest(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutResponse(Customizer)orlogoutResponse(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutResponse(Customizer)orlogoutResponse(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseSessionManagementConfigurer.sessionConcurrency(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.anonymous(Customizer)oranonymous(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.anonymous(Customizer)oranonymous(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.authorizeExchange(Customizer)orauthorizeExchange(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.authorizeExchange(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.cors(Customizer)orcors(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.cors(Customizer)orcors(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.csrf(Customizer)orcsrf(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.csrf(Customizer)orcsrf(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.exceptionHandling(Customizer)orexceptionHandling(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.exceptionHandling(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.formLogin(Customizer)orformLogin(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.formLogin(Customizer)orformLogin(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.headers(Customizer)orheaders(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.headers(Customizer)orheaders(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.cache(Customizer)orcache(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentTypeOptions(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer)insteadorg.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()For removal in 7.0. Use#featurePolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.frameOptions(Customizer)orframeOptions(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.hsts(Customizer)orhsts(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.hsts(Customizer)orhsts(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.xssProtection(Customizer)orxssProtection(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.httpBasic(Customizer)orhttpBasic(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.httpBasic(Customizer)orhttpBasic(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.logout(Customizer)orlogout(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.logout(Customizer)orlogout(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Client(Customizer)oroauth2Client(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Client(Customizer)oroauth2Client(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Login(Customizer)oroauth2Login(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Login(Customizer)oroauth2Login(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2ResourceServer(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.oauth2ResourceServer(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer)orjwt(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer)orjwt(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer)oropaqueToken(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.passwordManagement(Customizer)orpasswordManagement(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.passwordManagement(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.redirectToHttps(Customizer)orredirectToHttps(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.requestCache(Customizer)orrequestCache(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.requestCache(Customizer)orrequestCache(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.x509(Customizer)orx509(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.x509(Customizer)orx509(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseUnboundIdContainerinstead because ApacheDS 1.x is no longer supported with no GA version to replace it.UseRestClientAuthorizationCodeTokenResponseClientinsteadUseRestClientClientCredentialsTokenResponseClientinsteadUseRestClientJwtBearerTokenResponseClientinsteadThe OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.UseRestClientRefreshTokenTokenResponseClientinsteadUseRestClientRefreshTokenTokenResponseClientinsteadUseDefaultOAuth2TokenRequestParametersConverterinsteadUseDefaultOAuth2TokenRequestParametersConverterinsteadUseDefaultOAuth2TokenRequestParametersConverterinsteadThe OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.UseDefaultOAuth2TokenRequestParametersConverterinsteadUseDefaultOAuth2TokenRequestParametersConverterinsteadUseDefaultOAuth2TokenRequestParametersConverterinsteadThe OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.UseOidcUserService.setRetrieveUserInfo(Predicate)insteadThe OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.Please useSpringOpaqueTokenIntrospector.BuilderUseRelyingPartyRegistration.mutate()insteadplease usePathPatternRequestTransformerinsteadPermit access to theDispatcherTypeinstead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }This existed for an old IE bug and is no longer need.This existed for an old IE bug and is no longer need.This is deprecated for removal. Users can compareDefaultSavedRequest.getRedirectUrl()to theHttpServletRequestURL instead.Please usePathPatternRequestMatcherinsteadplease usePathPatternRequestMatcherinsteadLobHandleris deprecated without replacement, as such this method will also be removed without replacement
-
Deprecated InterfacesInterfaceDescriptionUse
AuthorizationManagerinsteadUseAuthorizationManagerinsteadUse delegation withAuthorizationManagerUsed only by now-deprecated classes. ConsiderSecuredAuthorizationManagerfor `@Secured` methods.In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.Use delegation withAuthorizationManagerThis class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Use theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUse delegation withAuthorizationManagerIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.Please use org.springframework.security.cas.authentication.ServiceAuthenticationDetailsplease useObjectPostProcessorinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingplease useHttpsRedirectFilterand its associatedPortMapperno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.This existed for an old IE bug and is no longer need.
-
Deprecated ClassesClassDescriptionUse
Jsr250AuthorizationManagerinsteadUseJsr250AuthorizationManagerinsteadAuthorization events have moved. ConsiderAuthorizationGrantedEventandAuthorizationDeniedEventAuthentication is now separated from authorization. ConsiderAbstractAuthenticationFailureEventinstead.UseAuthorizationDeniedEventinsteadUseAuthorizationGrantedEventinsteadLogging is now embedded in Spring Security components. If you need further logging, please consider using your ownApplicationListenerOnly used by now-deprecated classes. ConsiderEventObject.getSource()to deduce public invocations.UseAuthorizationManagerinterceptors insteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationFilterinstead for filter security,AuthorizationChannelInterceptorfor messaging security, orAuthorizationManagerBeforeMethodInterceptorandAuthorizationManagerAfterMethodInterceptorfor method security.Use delegation withAuthorizationManagerPlease useAuthorizationManagerBeforeMethodInterceptorandAuthorizationManagerAfterMethodInterceptorinsteadUseEnableMethodSecurityor publish interceptors directlyThis class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.This class will be removed from the public API. See `JoinPointMethodInvocation` in `spring-security-aspects` for its replacementUse delegation withAuthorizationManagerUseAuthorizationManagerinsteadAuthentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.Use theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUse theuse-authorization-managerattribute for<method-security>and<intercept-methods>instead or use annotation-based orAuthorizationManager-based authorizationUseAuthorizationManagerAfterMethodInterceptorinsteadUseAuthorizationManagerBeforeMethodInterceptorinsteadUsePreAuthorizeAuthorizationManagerandPostAuthorizeAuthorizationManagerinsteadIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseAuthorizationManagerinsteadNow used by only-deprecated classes. Generally speaking, in-memory ACL is no longer advised, so no replacement is planned at this point.UseAuthorizationManagerinsteadUseAuthorityAuthorizationManagerinsteadUseAuthorizationManagerinsteadUseAuthorityAuthorizationManagerinsteadUseAuthorizationManagerinsteadplease useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PreAuthorize("hasPermission(#id, ObjectsReturnType.class, read)")please useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PostAuthorize("hasPermission(filterObject, read)")org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationCollectionFilteringProviderplease useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PostFilter("hasPermission(filterObject, read)")please useAclPermissionEvaluatorinstead. Spring Method Security annotations may also prove useful, for example@PostAuthorize("hasPermission(filterObject, read)")UseExpressionAuthorizationDecisioninsteadPlease useAnnotationTemplateExpressionDefaultsinsteadUsePrePostMethodSecurityConfiguration,SecuredMethodSecurityConfiguration, orJsr250MethodSecurityConfigurationinsteadIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseAuthorizeHttpRequestsConfigurerinsteadplease useHttpsRedirectConfigurerinsteadno replacement plannedno replacement plannedUseAuthorizeHttpRequestsConfigurerinsteadsee Certificate and Public Key Pinning for more contextUseAuthorizeHttpRequestsConfigurerinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadorg.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfigurationThis is applied internally using SpringWebMvcImportSelectorUseEnableWebSocketSecurityinsteadIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.Use `use-authorization-manager` property insteadUseMethodSecurityBeanDefinitionParserinsteadUse<intercept-methods>,<method-security>, or@EnableMethodSecurityUse java.util.Base64Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.This PasswordEncoder is not secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better useDelegatingPasswordEncoderwhich supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.For removal in 7.0. UseUnboundIdContainerinstead because ApacheDS 1.x is no longer supported with no GA version to replace it.UseMessageMatcherDelegatingAuthorizationManagerinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadUseAuthorizationChannelInterceptorinsteadUseMessageMatcherDelegatingAuthorizationManagerinsteadUseRestClientAuthorizationCodeTokenResponseClientinsteadUseRestClientClientCredentialsTokenResponseClientinsteadUseRestClientJwtBearerTokenResponseClientinsteadThe OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.UseRestClientRefreshTokenTokenResponseClientinsteadUseRestClientRefreshTokenTokenResponseClientinsteadUseDefaultOAuth2TokenRequestParametersConverterinsteadUseDefaultOAuth2TokenRequestParametersConverterinsteadUseDefaultOAuth2TokenRequestParametersConverterinsteadThe OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.UseDefaultOAuth2TokenRequestParametersConverterinsteadUseDefaultOAuth2TokenRequestParametersConverterinsteadUseDefaultOAuth2TokenRequestParametersConverterinsteadThe OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.Please useBearerTokenAuthenticationTokenPlease useSpringOpaqueTokenIntrospectorinsteadPlease useSpringReactiveOpaqueTokenIntrospectorinsteadUseBearerTokenAuthenticationFilterinsteadplease useAuthenticationPayloadExchangeConverterinsteadplease useAuthenticationPayloadExchangeConverterinsteadBasic Authentication did not evolve into a standard. Use Simple Authentication instead.Basic Authentication did not evolve into a standard. useSimpleAuthenticationEncoderPlease useRequestMatcherMetadataResponseResolverThis class no longer is needed in order to transmit theEntityDescriptortoOpenSamlAssertingPartyDetails. Instead of doing:if (registration instanceof OpenSamlRelyingPartyRegistration openSamlRegistration) { EntityDescriptor descriptor = openSamlRegistration.getAssertingPartyDetails.getEntityDescriptor(); }do instead:if (registration.getAssertingPartyMetadata() instanceof openSamlAssertingPartyDetails) { EntityDescriptor descriptor = openSamlAssertingPartyDetails.getEntityDescriptor(); }please useHttpsRedirectFilterand its associatedPortMapperno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingplease useHttpsRedirectFilterand its associatedPortMapperplease useHttpsRedirectFilterand its associatedPortMapperno replacement is planned, though consider using a customRequestMatcherfor any sophisticated decision-makingIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseWebExpressionAuthorizationManagerinsteadplease usePathPatternRequestTransformerinsteadIn modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please seeSecurityAnnotationScannerandAuthorizationManager. In the case of channel security, please seeHttpsRedirectFilter. In the case of web security, please seeAuthorizationManager.UseAuthorizationFilterinsteadplease useAuthorizationManagerWebInvocationPrivilegeEvaluatorand adapt any delegateWebInvocationPrivilegeEvaluators intoAuthorizationManagersUseAuthenticationPrincipalArgumentResolverinstead.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.see Certificate and Public Key Pinning for more contextThis existed for an old IE bug and is no longer need.useServerFormLoginAuthenticationConverterinstead.UseServerHttpBasicAuthenticationConverterinstead.Please usePathPatternRequestMatcherinsteadplease usePathPatternRequestMatcherinstead
-
Deprecated Annotation InterfacesAnnotation InterfaceDescriptionuse @{code org.springframework.security.core.parameters.P}Use
EnableMethodSecurityinsteadUse EnableWebSecurity instead which will automatically add the Spring MVC related Security items.UseAuthenticationPrincipalinstead.
-
Deprecated FieldsFieldDescriptionsince 5.4 in favor of
AbstractMessageMatcherComposite.loggerThe OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())Basic did not evolve into the standard. Instead use Simple Authentication MimeTypeUtils.parseMimeType(WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION.getString())
-
Deprecated MethodsMethodDescriptionplease see
RoleHierarchyImpl.setHierarchy(java.lang.String)deprecation noticePlease provide theUserDetailsServicein the constructorplease useAuthorizationManager.authorize(Supplier, Object)insteadplease useAuthorizationManager.authorize(Supplier, Object)insteadplease useAuthorizationObservationContext.getAuthorizationResult()insteadplease useAuthorizationObservationContext.setAuthorizationResult(AuthorizationResult)insteadplease useAuthorizationEvent.getAuthorizationResult()please provide all advisors in the constructorplease useAuthorizationManager.authorize(Supplier, Object)insteadPlease useAnnotationTemplateExpressionDefaultsinsteadplease useAuthorizationManager.authorize(Supplier, Object)insteadplease useAuthorizationManager.authorize(Supplier, Object)insteadplease useReactiveAuthorizationManager.authorize(Mono, Object)insteadplease useReactiveAuthorizationManager.authorize(Mono, Object)insteadFor removal in 7.0. UseAbstractConfiguredSecurityBuilder.with(SecurityConfigurerAdapter, Customizer)instead.For removal in 7.0. Use the lambda based configuration instead.For removal in 7.0. UseHttpSecurity.anonymous(Customizer)oranonymous(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.authorizeHttpRequests(Customizer)insteadFor removal in 7.0. UseHttpSecurity.authorizeHttpRequests(Customizer)insteadFor removal in 7.0. UseHttpSecurity.authorizeHttpRequests(Customizer)insteadFor removal in 7.0. UseHttpSecurity.cors(Customizer)orcors(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.csrf(Customizer)orcsrf(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.exceptionHandling(Customizer)orexceptionHandling(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.formLogin(Customizer)orformLogin(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.headers(Customizer)orheaders(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.httpBasic(Customizer)orhttpBasic(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.jee(Customizer)orjee(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.logout(Customizer)orlogout(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2Client(Customizer)oroauth2Client(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2Login(Customizer)oroauth2Login(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.oauth2ResourceServer(Customizer)insteadFor removal in 7.0. UseHttpSecurity.portMapper(Customizer)orportMapper(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.rememberMe(Customizer)orrememberMe(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.requestCache(Customizer)orrequestCache(Customizer.withDefaults())to stick with defaults. See the documentation for more details.Use the lambda based configuration instead. For example:@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(Customizer.withDefaults()); return http.build(); } }For removal in 7.0. UseHttpSecurity.requiresChannel(Customizer)orrequiresChannel(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Login(Customizer)orsaml2Login(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Logout(Customizer)orsaml2Logout(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.saml2Metadata(Customizer)orsaml2Metadata(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.securityContext(Customizer)orsecurityContext(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.securityMatchers(Customizer)orsecurityMatchers(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.servletApi(Customizer)orservletApi(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.sessionManagement(Customizer)orsessionManagement(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHttpSecurity.x509(Customizer)orx509(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. Use the lambda based configuration instead.Permit access to theDispatcherTypeinstead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }For removal in 7.0. UseHttpSecurity.requiresChannel(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.cacheControl(Customizer)orcacheControl(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.cacheControl(Customizer)orcacheControl(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.contentSecurityPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.contentSecurityPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.contentTypeOptions(Customizer)orcontentTypeOptions(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.contentTypeOptions(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginEmbedderPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginEmbedderPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginOpenerPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginOpenerPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginResourcePolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.crossOriginResourcePolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.permissionsPolicy(Customizer)orpermissionsPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.frameOptions(Customizer)orframeOptions(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.frameOptions(Customizer)orframeOptions(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.httpStrictTransportSecurity(Customizer)insteadsee Certificate and Public Key Pinning for more contextsee Certificate and Public Key Pinning for more contextFor removal in 7.0. UseHeadersConfigurer.httpStrictTransportSecurity(Customizer)insteadorg.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy()For removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)orpermissionsPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.permissionsPolicyHeader(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.permissionsPolicy(Customizer)insteadFor removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)orreferrerPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)orreferrerPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.referrerPolicy(Customizer)orreferrerPolicy(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.xssProtection(Customizer)orxssProtection(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseHeadersConfigurer.xssProtection(Customizer)orxssProtection(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ClientConfigurer.authorizationCodeGrant(Customizer)insteadFor removal in 7.0. UseOAuth2ClientConfigurer.authorizationCodeGrant(Customizer)insteadFor removal in 7.0. UseOAuth2LoginConfigurer.authorizationEndpoint(Customizer)insteadFor removal in 7.0. UseOAuth2LoginConfigurer.authorizationEndpoint(Customizer)insteadFor removal in 7.0. UseOAuth2LoginConfigurer.redirectionEndpoint(Customizer)insteadFor removal in 7.0. UseOAuth2LoginConfigurer.redirectionEndpoint(Customizer)insteadFor removal in 7.0. UseOAuth2LoginConfigurer.tokenEndpoint(Customizer)ortokenEndpoint(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.tokenEndpoint(Customizer)ortokenEndpoint(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.userInfoEndpoint(Customizer)oruserInfoEndpoint(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2LoginConfigurer.userInfoEndpoint(Customizer)insteadFor removal in 7.0. UseOAuth2ResourceServerConfigurer.jwt(Customizer)orjwt(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ResourceServerConfigurer.jwt(Customizer)orjwt(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseOAuth2ResourceServerConfigurer.opaqueToken(Customizer)oropaqueToken(Customizer.withDefaults())to stick with defaults. See the documentation for more details.Use this.context insteadFor removal in 7.0. UseSaml2LogoutConfigurer.logoutRequest(Customizer)orlogoutRequest(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutRequest(Customizer)orlogoutRequest(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutResponse(Customizer)orlogoutResponse(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseSaml2LogoutConfigurer.logoutResponse(Customizer)orlogoutResponse(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseSessionManagementConfigurer.sessionConcurrency(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.anonymous(Customizer)oranonymous(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.anonymous(Customizer)oranonymous(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.authorizeExchange(Customizer)orauthorizeExchange(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.authorizeExchange(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.cors(Customizer)orcors(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.cors(Customizer)orcors(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.csrf(Customizer)orcsrf(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.csrf(Customizer)orcsrf(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.exceptionHandling(Customizer)orexceptionHandling(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.exceptionHandling(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.formLogin(Customizer)orformLogin(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.formLogin(Customizer)orformLogin(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.headers(Customizer)orheaders(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.headers(Customizer)orheaders(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.cache(Customizer)orcache(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.contentTypeOptions(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)instead.org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()For removal in 7.0. Use#featurePolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.frameOptions(Customizer)orframeOptions(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.hsts(Customizer)orhsts(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.hsts(Customizer)orhsts(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)instead.For removal in 7.0. UseServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.HeaderSpec.xssProtection(Customizer)orxssProtection(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.httpBasic(Customizer)orhttpBasic(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.httpBasic(Customizer)orhttpBasic(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.logout(Customizer)orlogout(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.logout(Customizer)orlogout(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Client(Customizer)oroauth2Client(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Client(Customizer)oroauth2Client(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Login(Customizer)oroauth2Login(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2Login(Customizer)oroauth2Login(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.oauth2ResourceServer(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.oauth2ResourceServer(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer)orjwt(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer)orjwt(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer)oropaqueToken(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.passwordManagement(Customizer)orpasswordManagement(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.passwordManagement(Customizer)insteadFor removal in 7.0. UseServerHttpSecurity.redirectToHttps(Customizer)orredirectToHttps(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.requestCache(Customizer)orrequestCache(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.requestCache(Customizer)orrequestCache(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.x509(Customizer)orx509(Customizer.withDefaults())to stick with defaults. See the documentation for more details.For removal in 7.0. UseServerHttpSecurity.x509(Customizer)orx509(Customizer.withDefaults())to stick with defaults. See the documentation for more details.Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.UseLdapUsernameToDnMapper.buildLdapName(String)insteadplease useAuthorizationManager.authorize(Supplier, Object)insteadThe OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.UseOidcUserService.setRetrieveUserInfo(Predicate)insteadThe OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.please useReactiveAuthorizationManager.authorize(Mono, Object)insteadUseRelyingPartyRegistration.mutate()insteadPermit access to theDispatcherTypeinstead.@Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }please useAuthorizationManager.authorize(Supplier, Object)insteadUseStrictHttpFirewall.getEncodedUrlBlocklist()insteadThis is deprecated for removal. Users can compareDefaultSavedRequest.getRedirectUrl()to theHttpServletRequestURL instead.As of 5.1 in favor ofAuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)please useReactiveAuthorizationManager.authorize(Mono, Object)insteadorg.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository.setCookieDomain(String) LobHandleris deprecated without replacement, as such this method will also be removed without replacement
-
Deprecated ConstructorsConstructorDescriptionPlease provide the
UserDetailsServicein the constructorPlease provide theUserDetailsServicein the constructor followed byDaoAuthenticationProvider.setPasswordEncoder(PasswordEncoder)insteadPlease use anAuthorizationResultconstructor insteadplease use a constructor that takes anAuthorizationResultorg.springframework.security.config.annotation.web.builders.WebSecurity(ObjectPostProcessor<Object>) Please useSpringOpaqueTokenIntrospector.BuilderUseBuilder(RelyingPartyRegistration)insteadALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
-
Deprecated Enum ConstantsEnum ConstantDescriptionplease see
PayloadInterceptorOrder.AUTHENTICATIONplease seePayloadInterceptorOrder.AUTHENTICATIONALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
AbstractConfiguredSecurityBuilder.with(SecurityConfigurerAdapter, Customizer)instead.