Deprecated List (spring-security-config 7.0.0-RC2 API)

Terminally Deprecated Elements

Element

Description

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy(Customizer<HeadersConfigurer.PermissionsPolicyConfig>)

For removal in 7.0. Use HeadersConfigurer.permissionsPolicyHeader(Customizer) instead

org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()

For removal in 7.0. Use #featurePolicy(Customizer) instead

Deprecated Classes

Class

Description

org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration

Use PrePostMethodSecurityConfiguration, SecuredMethodSecurityConfiguration, or Jsr250MethodSecurityConfiguration instead

org.springframework.security.config.annotation.web.configurers.AbstractConfigAttributeRequestMatcherRegistry

In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.

org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer

please use HttpsRedirectConfigurer instead

org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.ChannelRequestMatcherRegistry

no replacement planned

org.springframework.security.config.annotation.web.configurers.ChannelSecurityConfigurer.RequiresChannelUrl

no replacement planned

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HpkpConfig

see Certificate and Public Key Pinning for more context

org.springframework.security.config.annotation.web.servlet.configuration.WebMvcSecurityConfiguration

This is applied internally using SpringWebMvcImportSelector

org.springframework.security.config.http.ChannelAttributeFactory

In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.

org.springframework.security.config.http.FilterInvocationSecurityMetadataSourceParser

Use `use-authorization-manager` property instead

org.springframework.security.config.http.MessageMatcherFactoryBean

org.springframework.security.config.http.RequestMatcherFactoryBean

org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser

Use MethodSecurityBeanDefinitionParser instead

org.springframework.security.config.method.MethodSecurityMetadataSourceBeanDefinitionParser

Use <intercept-methods>, <method-security>, or @EnableMethodSecurity

Deprecated Annotation Interfaces

Annotation Interface

Description

org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity

Use EnableMethodSecurity instead

Deprecated Methods

Method

Description

org.springframework.security.config.annotation.rsocket.RSocketSecurity.basicAuthentication(Customizer<RSocketSecurity.BasicAuthenticationSpec>)

Use RSocketSecurity.simpleAuthentication(Customizer)

org.springframework.security.config.annotation.web.builders.HttpSecurity.requiresChannel(Customizer<ChannelSecurityConfigurer.ChannelRequestMatcherRegistry>)

Use HttpSecurity.redirectToHttps(org.springframework.security.config.Customizer<org.springframework.security.config.annotation.web.configurers.HttpsRedirectConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>>)

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.featurePolicy(String)

For removal in 7.0. Use HeadersConfigurer.permissionsPolicy(Customizer) or permissionsPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.httpPublicKeyPinning(Customizer<HeadersConfigurer.HpkpConfig>)

see Certificate and Public Key Pinning for more context

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.permissionsPolicy(Customizer<HeadersConfigurer.PermissionsPolicyConfig>)

For removal in 7.0. Use HeadersConfigurer.permissionsPolicyHeader(Customizer) instead

org.springframework.security.config.annotation.web.configurers.ott.OneTimeTokenLoginConfigurer.authenticationFailureHandler(AuthenticationFailureHandler)

Use AbstractAuthenticationFilterConfigurer.failureHandler(AuthenticationFailureHandler) instead

org.springframework.security.config.annotation.web.configurers.ott.OneTimeTokenLoginConfigurer.authenticationSuccessHandler(AuthenticationSuccessHandler)

Use AbstractAuthenticationFilterConfigurer.successHandler(AuthenticationSuccessHandler) instead

org.springframework.security.config.annotation.web.configurers.ott.OneTimeTokenLoginConfigurer.getContext()

Use this.context instead

org.springframework.security.config.annotation.web.configurers.saml2.Saml2LoginConfigurer.authenticationRequestUri(String)

Use Saml2LoginConfigurer.authenticationRequestUriQuery(java.lang.String) instead

org.springframework.security.config.annotation.web.configurers.X509Configurer.subjectPrincipalRegex(String)

Please use {x509PrincipalExtractor(X509PrincipalExtractor) instead

org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.featurePolicy(String)

For removal in 7.0. Use ServerHttpSecurity.HeaderSpec.permissionsPolicy(Customizer) instead.

org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec.FeaturePolicySpec.and()

For removal in 7.0. Use #featurePolicy(Customizer) instead

Deprecated Enum Constants

Enum Constant

Description

org.springframework.security.config.annotation.rsocket.PayloadInterceptorOrder.BASIC_AUTHENTICATION

please see PayloadInterceptorOrder.AUTHENTICATION

org.springframework.security.config.annotation.rsocket.PayloadInterceptorOrder.JWT_AUTHENTICATION

please see PayloadInterceptorOrder.AUTHENTICATION