Deprecated API

Contents

• Terminally Deprecated
• Interfaces
• Classes
• Annotation Interfaces
• Methods
• Constructors

Terminally Deprecated Elements

Element	Description
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder(ObjectPostProcessor<Object>)
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder(ObjectPostProcessor<Object>, boolean)
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.apply(C)	For removal in 7.0. Use AbstractConfiguredSecurityBuilder.with(SecurityConfigurerAdapter, Customizer) instead.
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder(ObjectPostProcessor<Object>)
org.springframework.security.config.annotation.authentication.configurers.ldap.LdapAuthenticationProviderConfigurer.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.authentication.configurers.userdetails.AbstractDaoAuthenticationConfigurer.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration.setObjectPostProcessor(ObjectPostProcessor<Object>)
org.springframework.security.config.annotation.SecurityConfigurerAdapter.addObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.SecurityConfigurerAdapter.and()	For removal in 7.0. Use the lambda based configuration instead.
org.springframework.security.config.annotation.web.builders.HttpSecurity(ObjectPostProcessor<Object>, AuthenticationManagerBuilder, Map<Class<?>, Object>)
org.springframework.security.config.annotation.web.builders.HttpSecurity.anonymous()	For removal in 7.0. Use HttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeHttpRequests()	For removal in 7.0. Use HttpSecurity.authorizeHttpRequests(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeRequests()	For removal in 7.0. Use HttpSecurity.authorizeHttpRequests(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeRequests(Customizer<ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry>)	For removal in 7.0. Use HttpSecurity.authorizeHttpRequests(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.cors()	For removal in 7.0. Use HttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.csrf()	For removal in 7.0. Use HttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.exceptionHandling()	For removal in 7.0. Use HttpSecurity.exceptionHandling(Customizer) or exceptionHandling(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.formLogin()	For removal in 7.0. Use HttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.headers()	For removal in 7.0. Use HttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.httpBasic()	For removal in 7.0. Use HttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.jee()	For removal in 7.0. Use HttpSecurity.jee(Customizer) or jee(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.logout()	For removal in 7.0. Use HttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2Client()	For removal in 7.0. Use HttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2Login()	For removal in 7.0. Use HttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2ResourceServer()	For removal in 7.0. Use HttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.portMapper()	For removal in 7.0. Use HttpSecurity.portMapper(Customizer) or portMapper(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.rememberMe()	For removal in 7.0. Use HttpSecurity.rememberMe(Customizer) or rememberMe(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.requestCache()	For removal in 7.0. Use HttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.RequestMatcherConfigurer.and()	Use the lambda based configuration instead. For example: @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(Customizer.withDefaults()); return http.build(); } }
org.springframework.security.config.annotation.web.builders.HttpSecurity.requiresChannel()	For removal in 7.0. Use HttpSecurity.requiresChannel(Customizer) or requiresChannel(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Login()	For removal in 7.0. Use HttpSecurity.saml2Login(Customizer) or saml2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Logout()	For removal in 7.0. Use HttpSecurity.saml2Logout(Customizer) or saml2Logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Metadata()	For removal in 7.0. Use HttpSecurity.saml2Metadata(Customizer) or saml2Metadata(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.securityContext()	For removal in 7.0. Use HttpSecurity.securityContext(Customizer) or securityContext(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.securityMatchers()	For removal in 7.0. Use HttpSecurity.securityMatchers(Customizer) or securityMatchers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.servletApi()	For removal in 7.0. Use HttpSecurity.servletApi(Customizer) or servletApi(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.sessionManagement()	For removal in 7.0. Use HttpSecurity.sessionManagement(Customizer) or sessionManagement(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.x509()	For removal in 7.0. Use HttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.WebSecurity(ObjectPostProcessor<Object>)
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.and()	For removal in 7.0. Use the lambda based configuration instead.
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.shouldFilterAllDispatcherTypes(boolean)	Permit access to the DispatcherType instead. @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.ChannelRequestMatcherRegistry.and()	For removal in 7.0. Use HttpSecurity.requiresChannel(Customizer) instead
org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.ChannelRequestMatcherRegistry.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.cacheControl()	For removal in 7.0. Use HeadersConfigurer.cacheControl(Customizer) or cacheControl(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CacheControlConfig.and()	For removal in 7.0. Use HeadersConfigurer.cacheControl(Customizer) or cacheControl(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.contentSecurityPolicy(String)	For removal in 7.0. Use HeadersConfigurer.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ContentSecurityPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.contentTypeOptions()	For removal in 7.0. Use HeadersConfigurer.contentTypeOptions(Customizer) or contentTypeOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ContentTypeOptionsConfig.and()	For removal in 7.0. Use HeadersConfigurer.contentTypeOptions(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginEmbedderPolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginEmbedderPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginOpenerPolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginOpenerPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginResourcePolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginResourcePolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.frameOptions()	For removal in 7.0. Use HeadersConfigurer.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.FrameOptionsConfig.and()	For removal in 7.0. Use HeadersConfigurer.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HstsConfig.and()	For removal in 7.0. Use HeadersConfigurer.httpStrictTransportSecurity(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.httpStrictTransportSecurity()	For removal in 7.0. Use HeadersConfigurer.httpStrictTransportSecurity(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy()	For removal in 7.0. Use HeadersConfigurer.permissionsPolicyHeader(Customizer) or permissionsPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy(Customizer<HeadersConfigurer.PermissionsPolicyConfig>)	For removal in 7.0. Use HeadersConfigurer.permissionsPolicyHeader(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.PermissionsPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.permissionsPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.referrerPolicy()	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy)	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ReferrerPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.xssProtection()	For removal in 7.0. Use HeadersConfigurer.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig.and()	For removal in 7.0. Use HeadersConfigurer.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer.authorizationCodeGrant()	For removal in 7.0. Use OAuth2ClientConfigurer.authorizationCodeGrant(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer.AuthorizationCodeGrantConfigurer.and()	For removal in 7.0. Use OAuth2ClientConfigurer.authorizationCodeGrant(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.authorizationEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.authorizationEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.AuthorizationEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.authorizationEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.redirectionEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.redirectionEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.RedirectionEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.redirectionEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.tokenEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.tokenEndpoint(Customizer) or tokenEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.TokenEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.tokenEndpoint(Customizer) or tokenEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.userInfoEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.userInfoEndpoint(Customizer) or userInfoEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.UserInfoEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.userInfoEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OidcLogoutConfigurer.and()
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.jwt()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.JwtConfigurer.and()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.opaqueToken()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.opaqueToken(Customizer) or opaqueToken(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.logoutRequest()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutRequest(Customizer) or logoutRequest(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.LogoutRequestConfigurer.and()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutRequest(Customizer) or logoutRequest(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.logoutResponse()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutResponse(Customizer) or logoutResponse(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.LogoutResponseConfigurer.and()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutResponse(Customizer) or logoutResponse(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer.ConcurrencyControlConfigurer.and()	For removal in 7.0. Use SessionManagementConfigurer.sessionConcurrency(Customizer) instead
org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.web.server.ServerHttpSecurity.anonymous()	For removal in 7.0. Use ServerHttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.AnonymousSpec.and()	For removal in 7.0. Use ServerHttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.authorizeExchange()	For removal in 7.0. Use ServerHttpSecurity.authorizeExchange(Customizer) or authorizeExchange(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.AuthorizeExchangeSpec.and()	For removal in 7.0. Use ServerHttpSecurity.authorizeExchange(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.cors()	For removal in 7.0. Use ServerHttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.CorsSpec.and()	For removal in 7.0. Use ServerHttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.csrf()	For removal in 7.0. Use ServerHttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec.and()	For removal in 7.0. Use ServerHttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.exceptionHandling()	For removal in 7.0. Use ServerHttpSecurity.exceptionHandling(Customizer) or exceptionHandling(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.ExceptionHandlingSpec.and()	For removal in 7.0. Use ServerHttpSecurity.exceptionHandling(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.formLogin()	For removal in 7.0. Use ServerHttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.FormLoginSpec.and()	For removal in 7.0. Use ServerHttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.headers()	For removal in 7.0. Use ServerHttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.and()	For removal in 7.0. Use ServerHttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.cache()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.cache(Customizer) or cache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(String)	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.contentTypeOptions()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentTypeOptions(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()	For removal in 7.0. Use #featurePolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.frameOptions()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.hsts()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.hsts(Customizer) or hsts(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.HstsSpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.hsts(Customizer) or hsts(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.permissionsPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.referrerPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy)	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.xssProtection()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.httpBasic()	For removal in 7.0. Use ServerHttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HttpBasicSpec.and()	For removal in 7.0. Use ServerHttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HttpsRedirectSpec.and()	use ServerHttpSecurity.redirectToHttps(Customizer)
org.springframework.security.config.web.server.ServerHttpSecurity.logout()	For removal in 7.0. Use ServerHttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.LogoutSpec.and()	For removal in 7.0. Use ServerHttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2Client()	For removal in 7.0. Use ServerHttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ClientSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2Login()	For removal in 7.0. Use ServerHttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2LoginSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2ResourceServer()	For removal in 7.0. Use ServerHttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.jwt()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.JwtSpec.and()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer) or opaqueToken(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.OpaqueTokenSpec.and()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OidcLogoutSpec.and()
org.springframework.security.config.web.server.ServerHttpSecurity.passwordManagement()	For removal in 7.0. Use ServerHttpSecurity.passwordManagement(Customizer) or passwordManagement(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.PasswordManagementSpec.and()	For removal in 7.0. Use ServerHttpSecurity.passwordManagement(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.redirectToHttps()	For removal in 7.0. Use ServerHttpSecurity.redirectToHttps(Customizer) or redirectToHttps(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.requestCache()	For removal in 7.0. Use ServerHttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.RequestCacheSpec.and()	For removal in 7.0. Use ServerHttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.x509()	For removal in 7.0. Use ServerHttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.X509Spec.and()	For removal in 7.0. Use ServerHttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Deprecated Interfaces

Interface	Description
org.springframework.security.config.annotation.ObjectPostProcessor	please use ObjectPostProcessor instead

Deprecated Classes

Class	Description
org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration	Use PrePostMethodSecurityConfiguration, SecuredMethodSecurityConfiguration, or Jsr250MethodSecurityConfiguration instead
org.springframework.security.config.annotation.web.configurers.AbstractInterceptUrlConfigurer	Use AuthorizeHttpRequestsConfigurer instead
org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer	Use AuthorizeHttpRequestsConfigurer instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HpkpConfig	see Certificate and Public Key Pinning for more context
org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer	Use AuthorizeHttpRequestsConfigurer instead
org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry	Use MessageMatcherDelegatingAuthorizationManager instead
org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration	This is applied internally using SpringWebMvcImportSelector
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer	Use EnableWebSocketSecurity instead
org.springframework.security.config.http.FilterInvocationSecurityMetadataSourceParser	Use `use-authorization-manager` property instead
org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser	Use MethodSecurityBeanDefinitionParser instead
org.springframework.security.config.method.MethodSecurityMetadataSourceBeanDefinitionParser	Use <intercept-methods>, <method-security>, or @EnableMethodSecurity

Deprecated Annotation Interfaces

Annotation Interface	Description
org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity	Use EnableMethodSecurity instead
org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity	Use EnableWebSecurity instead which will automatically add the Spring MVC related Security items.

Deprecated Methods

Method	Description
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.apply(C)	For removal in 7.0. Use AbstractConfiguredSecurityBuilder.with(SecurityConfigurerAdapter, Customizer) instead.
org.springframework.security.config.annotation.authentication.configurers.ldap.LdapAuthenticationProviderConfigurer.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.authentication.configurers.userdetails.AbstractDaoAuthenticationConfigurer.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration.setObjectPostProcessor(ObjectPostProcessor<Object>)
org.springframework.security.config.annotation.rsocket.RSocketSecurity.basicAuthentication(Customizer<RSocketSecurity.BasicAuthenticationSpec>)	Use RSocketSecurity.simpleAuthentication(Customizer)
org.springframework.security.config.annotation.SecurityConfigurerAdapter.addObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.SecurityConfigurerAdapter.and()	For removal in 7.0. Use the lambda based configuration instead.
org.springframework.security.config.annotation.web.builders.HttpSecurity.anonymous()	For removal in 7.0. Use HttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeHttpRequests()	For removal in 7.0. Use HttpSecurity.authorizeHttpRequests(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeRequests()	For removal in 7.0. Use HttpSecurity.authorizeHttpRequests(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.authorizeRequests(Customizer<ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry>)	For removal in 7.0. Use HttpSecurity.authorizeHttpRequests(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.cors()	For removal in 7.0. Use HttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.csrf()	For removal in 7.0. Use HttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.exceptionHandling()	For removal in 7.0. Use HttpSecurity.exceptionHandling(Customizer) or exceptionHandling(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.formLogin()	For removal in 7.0. Use HttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.headers()	For removal in 7.0. Use HttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.httpBasic()	For removal in 7.0. Use HttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.jee()	For removal in 7.0. Use HttpSecurity.jee(Customizer) or jee(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.logout()	For removal in 7.0. Use HttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2Client()	For removal in 7.0. Use HttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2Login()	For removal in 7.0. Use HttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.oauth2ResourceServer()	For removal in 7.0. Use HttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.annotation.web.builders.HttpSecurity.portMapper()	For removal in 7.0. Use HttpSecurity.portMapper(Customizer) or portMapper(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.rememberMe()	For removal in 7.0. Use HttpSecurity.rememberMe(Customizer) or rememberMe(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.requestCache()	For removal in 7.0. Use HttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.RequestMatcherConfigurer.and()	Use the lambda based configuration instead. For example: @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .securityMatchers((matchers) -> matchers .requestMatchers("/api/**") ) .authorizeHttpRequests((authorize) -> authorize .anyRequest().hasRole("USER") ) .httpBasic(Customizer.withDefaults()); return http.build(); } }
org.springframework.security.config.annotation.web.builders.HttpSecurity.requiresChannel()	For removal in 7.0. Use HttpSecurity.requiresChannel(Customizer) or requiresChannel(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Login()	For removal in 7.0. Use HttpSecurity.saml2Login(Customizer) or saml2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Logout()	For removal in 7.0. Use HttpSecurity.saml2Logout(Customizer) or saml2Logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.saml2Metadata()	For removal in 7.0. Use HttpSecurity.saml2Metadata(Customizer) or saml2Metadata(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.securityContext()	For removal in 7.0. Use HttpSecurity.securityContext(Customizer) or securityContext(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.securityMatchers()	For removal in 7.0. Use HttpSecurity.securityMatchers(Customizer) or securityMatchers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.servletApi()	For removal in 7.0. Use HttpSecurity.servletApi(Customizer) or servletApi(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.sessionManagement()	For removal in 7.0. Use HttpSecurity.sessionManagement(Customizer) or sessionManagement(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.builders.HttpSecurity.x509()	For removal in 7.0. Use HttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.and()	For removal in 7.0. Use the lambda based configuration instead.
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.shouldFilterAllDispatcherTypes(boolean)	Permit access to the DispatcherType instead. @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer.AuthorizationManagerRequestMatcherRegistry.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.ChannelRequestMatcherRegistry.and()	For removal in 7.0. Use HttpSecurity.requiresChannel(Customizer) instead
org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.ChannelRequestMatcherRegistry.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.cacheControl()	For removal in 7.0. Use HeadersConfigurer.cacheControl(Customizer) or cacheControl(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CacheControlConfig.and()	For removal in 7.0. Use HeadersConfigurer.cacheControl(Customizer) or cacheControl(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.contentSecurityPolicy(String)	For removal in 7.0. Use HeadersConfigurer.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ContentSecurityPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.contentTypeOptions()	For removal in 7.0. Use HeadersConfigurer.contentTypeOptions(Customizer) or contentTypeOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ContentTypeOptionsConfig.and()	For removal in 7.0. Use HeadersConfigurer.contentTypeOptions(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginEmbedderPolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginEmbedderPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginOpenerPolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginOpenerPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.crossOriginResourcePolicy()	For removal in 7.0. Use HeadersConfigurer.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.CrossOriginResourcePolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.featurePolicy(String)	For removal in 7.0. Use HeadersConfigurer.permissionsPolicy(Customizer) or permissionsPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.frameOptions()	For removal in 7.0. Use HeadersConfigurer.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.FrameOptionsConfig.and()	For removal in 7.0. Use HeadersConfigurer.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HstsConfig.and()	For removal in 7.0. Use HeadersConfigurer.httpStrictTransportSecurity(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.httpPublicKeyPinning()	see Certificate and Public Key Pinning for more context
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.httpPublicKeyPinning(Customizer<HeadersConfigurer.HpkpConfig>)	see Certificate and Public Key Pinning for more context
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.httpStrictTransportSecurity()	For removal in 7.0. Use HeadersConfigurer.httpStrictTransportSecurity(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy()	For removal in 7.0. Use HeadersConfigurer.permissionsPolicyHeader(Customizer) or permissionsPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy(Customizer<HeadersConfigurer.PermissionsPolicyConfig>)	For removal in 7.0. Use HeadersConfigurer.permissionsPolicyHeader(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.PermissionsPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.permissionsPolicy(Customizer) instead
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.referrerPolicy()	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy)	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.ReferrerPolicyConfig.and()	For removal in 7.0. Use HeadersConfigurer.referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.xssProtection()	For removal in 7.0. Use HeadersConfigurer.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig.and()	For removal in 7.0. Use HeadersConfigurer.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer.authorizationCodeGrant()	For removal in 7.0. Use OAuth2ClientConfigurer.authorizationCodeGrant(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2ClientConfigurer.AuthorizationCodeGrantConfigurer.and()	For removal in 7.0. Use OAuth2ClientConfigurer.authorizationCodeGrant(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.authorizationEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.authorizationEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.AuthorizationEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.authorizationEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.redirectionEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.redirectionEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.RedirectionEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.redirectionEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.tokenEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.tokenEndpoint(Customizer) or tokenEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.TokenEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.tokenEndpoint(Customizer) or tokenEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.userInfoEndpoint()	For removal in 7.0. Use OAuth2LoginConfigurer.userInfoEndpoint(Customizer) or userInfoEndpoint(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer.UserInfoEndpointConfig.and()	For removal in 7.0. Use OAuth2LoginConfigurer.userInfoEndpoint(Customizer) instead
org.springframework.security.config.annotation.web.configurers.oauth2.client.OidcLogoutConfigurer.and()
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.jwt()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.JwtConfigurer.and()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.opaqueToken()	For removal in 7.0. Use OAuth2ResourceServerConfigurer.opaqueToken(Customizer) or opaqueToken(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LoginConfigurer.authenticationRequestUri(String)	Use Saml2LoginConfigurer.authenticationRequestUriQuery(java.lang.String) instead
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.logoutRequest()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutRequest(Customizer) or logoutRequest(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.LogoutRequestConfigurer.and()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutRequest(Customizer) or logoutRequest(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.logoutResponse()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutResponse(Customizer) or logoutResponse(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.saml2.Saml2LogoutConfigurer.LogoutResponseConfigurer.and()	For removal in 7.0. Use Saml2LogoutConfigurer.logoutResponse(Customizer) or logoutResponse(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer.ConcurrencyControlConfigurer.and()	For removal in 7.0. Use SessionManagementConfigurer.sessionConcurrency(Customizer) instead
org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer.withObjectPostProcessor(ObjectPostProcessor<?>)
org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer.setMessageExpessionHandler(List<SecurityExpressionHandler<Message<Object>>>)
org.springframework.security.config.web.server.ServerHttpSecurity.anonymous()	For removal in 7.0. Use ServerHttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.AnonymousSpec.and()	For removal in 7.0. Use ServerHttpSecurity.anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.authorizeExchange()	For removal in 7.0. Use ServerHttpSecurity.authorizeExchange(Customizer) or authorizeExchange(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.AuthorizeExchangeSpec.and()	For removal in 7.0. Use ServerHttpSecurity.authorizeExchange(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.cors()	For removal in 7.0. Use ServerHttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.CorsSpec.and()	For removal in 7.0. Use ServerHttpSecurity.cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.csrf()	For removal in 7.0. Use ServerHttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec.and()	For removal in 7.0. Use ServerHttpSecurity.csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.exceptionHandling()	For removal in 7.0. Use ServerHttpSecurity.exceptionHandling(Customizer) or exceptionHandling(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.ExceptionHandlingSpec.and()	For removal in 7.0. Use ServerHttpSecurity.exceptionHandling(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.formLogin()	For removal in 7.0. Use ServerHttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.FormLoginSpec.and()	For removal in 7.0. Use ServerHttpSecurity.formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.headers()	For removal in 7.0. Use ServerHttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.and()	For removal in 7.0. Use ServerHttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.cache()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.cache(Customizer) or cache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(String)	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentSecurityPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.contentTypeOptions()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.contentTypeOptions(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginEmbedderPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginOpenerPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.crossOriginResourcePolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.featurePolicy(String)	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()	For removal in 7.0. Use #featurePolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.frameOptions()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.hsts()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.hsts(Customizer) or hsts(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.HstsSpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.hsts(Customizer) or hsts(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.permissionsPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.referrerPolicy()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy)	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead.
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec.and()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.referrerPolicy(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.xssProtection()	For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.httpBasic()	For removal in 7.0. Use ServerHttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HttpBasicSpec.and()	For removal in 7.0. Use ServerHttpSecurity.httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.HttpsRedirectSpec.and()	use ServerHttpSecurity.redirectToHttps(Customizer)
org.springframework.security.config.web.server.ServerHttpSecurity.logout()	For removal in 7.0. Use ServerHttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.LogoutSpec.and()	For removal in 7.0. Use ServerHttpSecurity.logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2Client()	For removal in 7.0. Use ServerHttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ClientSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2Login()	For removal in 7.0. Use ServerHttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2LoginSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.oauth2ResourceServer()	For removal in 7.0. Use ServerHttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.and()	For removal in 7.0. Use ServerHttpSecurity.oauth2ResourceServer(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.jwt()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.JwtSpec.and()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.jwt(Customizer) or jwt(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer) or opaqueToken(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2ResourceServerSpec.OpaqueTokenSpec.and()	For removal in 7.0. Use ServerHttpSecurity.OAuth2ResourceServerSpec.opaqueToken(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.OidcLogoutSpec.and()
org.springframework.security.config.web.server.ServerHttpSecurity.passwordManagement()	For removal in 7.0. Use ServerHttpSecurity.passwordManagement(Customizer) or passwordManagement(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.PasswordManagementSpec.and()	For removal in 7.0. Use ServerHttpSecurity.passwordManagement(Customizer) instead
org.springframework.security.config.web.server.ServerHttpSecurity.redirectToHttps()	For removal in 7.0. Use ServerHttpSecurity.redirectToHttps(Customizer) or redirectToHttps(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.requestCache()	For removal in 7.0. Use ServerHttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.RequestCacheSpec.and()	For removal in 7.0. Use ServerHttpSecurity.requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.x509()	For removal in 7.0. Use ServerHttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
org.springframework.security.config.web.server.ServerHttpSecurity.X509Spec.and()	For removal in 7.0. Use ServerHttpSecurity.x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Deprecated Constructors

Constructor	Description
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder(ObjectPostProcessor<Object>)
org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder(ObjectPostProcessor<Object>, boolean)
org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder(ObjectPostProcessor<Object>)
org.springframework.security.config.annotation.web.builders.HttpSecurity(ObjectPostProcessor<Object>, AuthenticationManagerBuilder, Map<Class<?>, Object>)
org.springframework.security.config.annotation.web.builders.WebSecurity(ObjectPostProcessor<Object>)