Deprecated API

Contents

• Interfaces
• Classes
• Annotation Interfaces
• Methods
• Constructors

Deprecated Interfaces

Interface	Description
org.springframework.security.access.AccessDecisionManager	Use AuthorizationManager instead
org.springframework.security.access.AccessDecisionVoter	Use AuthorizationManager instead
org.springframework.security.access.AfterInvocationProvider	Use delegation with AuthorizationManager
org.springframework.security.access.annotation.AnnotationMetadataExtractor	Used only by now-deprecated classes. Consider SecuredAuthorizationManager for `@Secured` methods.
org.springframework.security.access.intercept.AfterInvocationManager	Use delegation with AuthorizationManager
org.springframework.security.access.intercept.aspectj.AspectJCallback	This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.
org.springframework.security.access.intercept.RunAsManager	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.method.MethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.prepost.PostInvocationAttribute	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.prepost.PostInvocationAuthorizationAdvice	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.prepost.PreInvocationAttribute	Use AuthorizationManagerBeforeMethodInterceptor instead
org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice	Use AuthorizationManagerBeforeMethodInterceptor instead
org.springframework.security.access.prepost.PrePostInvocationAttributeFactory	Use delegation with AuthorizationManager

Deprecated Classes

Class	Description
org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource	Use Jsr250AuthorizationManager instead
org.springframework.security.access.annotation.Jsr250SecurityConfig	Use AuthorizationManagerBeforeMethodInterceptor.jsr250() instead
org.springframework.security.access.annotation.Jsr250Voter	Use Jsr250AuthorizationManager instead
org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource	Use AuthorizationManagerBeforeMethodInterceptor.secured()
org.springframework.security.access.event.AbstractAuthorizationEvent	Authorization events have moved. Consider AuthorizationGrantedEvent and AuthorizationDeniedEvent
org.springframework.security.access.event.AuthenticationCredentialsNotFoundEvent	Authentication is now separated from authorization. Consider AbstractAuthenticationFailureEvent instead.
org.springframework.security.access.event.AuthorizationFailureEvent	Use AuthorizationDeniedEvent instead
org.springframework.security.access.event.AuthorizedEvent	Use AuthorizationGrantedEvent instead
org.springframework.security.access.event.LoggerListener	Logging is now embedded in Spring Security components. If you need further logging, please consider using your own ApplicationListener
org.springframework.security.access.event.PublicInvocationEvent	Only used by now-deprecated classes. Consider EventObject.getSource() to deduce public invocations.
org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory	Use AuthorizationManager interceptors instead
org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.intercept.AbstractSecurityInterceptor	Use org.springframework.security.web.access.intercept.AuthorizationFilter instead for filter security, org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor for messaging security, or AuthorizationManagerBeforeMethodInterceptor and AuthorizationManagerAfterMethodInterceptor for method security.
org.springframework.security.access.intercept.AfterInvocationProviderManager	Use delegation with AuthorizationManager
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor	Please use AuthorizationManagerBeforeMethodInterceptor and AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor	Use EnableMethodSecurity or publish interceptors directly
org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor	This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.
org.springframework.security.access.intercept.aspectj.MethodInvocationAdapter	This class will be removed from the public API. See `JoinPointMethodInvocation` in `spring-security-aspects` for its replacement
org.springframework.security.access.intercept.InterceptorStatusToken	Use delegation with AuthorizationManager
org.springframework.security.access.intercept.MethodInvocationPrivilegeEvaluator	Use AuthorizationManager instead
org.springframework.security.access.intercept.RunAsImplAuthenticationProvider	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.intercept.RunAsManagerImpl	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.intercept.RunAsUserToken	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.method.AbstractMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.method.MapBasedMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.prepost.PostInvocationAdviceProvider	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter	Use AuthorizationManagerBeforeMethodInterceptor instead
org.springframework.security.access.prepost.PrePostAdviceReactiveMethodInterceptor	Use AuthorizationManagerBeforeReactiveMethodInterceptor or AuthorizationManagerAfterReactiveMethodInterceptor
org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource	Use PreAuthorizeAuthorizationManager and PostAuthorizeAuthorizationManager instead
org.springframework.security.access.vote.AbstractAccessDecisionManager	Use AuthorizationManager instead
org.springframework.security.access.vote.AbstractAclVoter	Now used by only-deprecated classes. Generally speaking, in-memory ACL is no longer advised, so no replacement is planned at this point.
org.springframework.security.access.vote.AffirmativeBased	Use AuthorizationManager instead
org.springframework.security.access.vote.AuthenticatedVoter	Use AuthorityAuthorizationManager instead
org.springframework.security.access.vote.ConsensusBased	Use AuthorizationManager instead
org.springframework.security.access.vote.RoleHierarchyVoter	Use AuthorityAuthorizationManager.setRoleHierarchy(org.springframework.security.access.hierarchicalroles.RoleHierarchy) instead
org.springframework.security.access.vote.RoleVoter	Use AuthorityAuthorizationManager instead
org.springframework.security.access.vote.UnanimousBased	Use AuthorizationManager instead
org.springframework.security.authorization.method.ExpressionAttributeAuthorizationDecision	Use ExpressionAuthorizationDecision instead
org.springframework.security.authorization.method.PrePostTemplateDefaults	Please use AnnotationTemplateExpressionDefaults instead

Deprecated Annotation Interfaces

Annotation Interface	Description
org.springframework.security.access.method.P	use @{code org.springframework.security.core.parameters.P}

Deprecated Methods

Method	Description
org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl.setHierarchy(String)	Use RoleHierarchyImpl.fromHierarchy(java.lang.String) instead
org.springframework.security.authentication.DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Properties)	use DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Map)
org.springframework.security.authorization.AuthorityAuthorizationManager.check(Supplier<Authentication>, T)	please use AuthorizationManager.authorize(Supplier, Object) instead
org.springframework.security.authorization.AuthorizationEventPublisher.publishAuthorizationEvent(Supplier<Authentication>, T, AuthorizationDecision)	use AuthorizationEventPublisher.publishAuthorizationEvent(Supplier, Object, AuthorizationResult) instead
org.springframework.security.authorization.AuthorizationManager.check(Supplier<Authentication>, T)	please use AuthorizationManager.authorize(Supplier, Object) instead
org.springframework.security.authorization.AuthorizationObservationContext.getDecision()	please use AuthorizationObservationContext.getAuthorizationResult() instead
org.springframework.security.authorization.AuthorizationObservationContext.setDecision(AuthorizationDecision)	please use AuthorizationObservationContext.setAuthorizationResult(AuthorizationResult) instead
org.springframework.security.authorization.event.AuthorizationEvent.getAuthorizationDecision()	please use AuthorizationEvent.getAuthorizationResult()
org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.setAdvisors(Collection<AuthorizationAdvisor>)	Please use AuthorizationAdvisorProxyFactory.addAdvisor(org.springframework.security.authorization.method.AuthorizationAdvisor) instead
org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.setAdvisors(AuthorizationAdvisor...)	Please use AuthorizationAdvisorProxyFactory.addAdvisor(org.springframework.security.authorization.method.AuthorizationAdvisor) instead
org.springframework.security.authorization.method.Jsr250AuthorizationManager.check(Supplier<Authentication>, MethodInvocation)	please use AuthorizationManager.authorize(Supplier, Object) instead
org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager.setTemplateDefaults(PrePostTemplateDefaults)	Please use PostAuthorizeAuthorizationManager.setTemplateDefaults(AnnotationTemplateExpressionDefaults) instead
org.springframework.security.authorization.method.PostFilterAuthorizationMethodInterceptor.setTemplateDefaults(PrePostTemplateDefaults)	Please use AnnotationTemplateExpressionDefaults instead
org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.setTemplateDefaults(PrePostTemplateDefaults)	Please use PreAuthorizeAuthorizationManager.setTemplateDefaults(AnnotationTemplateExpressionDefaults) instead
org.springframework.security.authorization.method.PreFilterAuthorizationMethodInterceptor.setTemplateDefaults(PrePostTemplateDefaults)	Please use PreFilterAuthorizationMethodInterceptor.setTemplateDefaults(AnnotationTemplateExpressionDefaults) instead
org.springframework.security.authorization.method.SecuredAuthorizationManager.check(Supplier<Authentication>, MethodInvocation)	please use AuthorizationManager.authorize(Supplier, Object) instead
org.springframework.security.authorization.ObservationAuthorizationManager.check(Supplier<Authentication>, T)	please use AuthorizationManager.authorize(Supplier, Object) instead
org.springframework.security.authorization.ObservationReactiveAuthorizationManager.check(Mono<Authentication>, T)	please use ReactiveAuthorizationManager.authorize(Mono, Object) instead
org.springframework.security.authorization.ReactiveAuthorizationManager.check(Mono<Authentication>, T)	please use ReactiveAuthorizationManager.authorize(Mono, Object) instead
org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder()	Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.

Deprecated Constructors

Constructor	Description
org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl()	Use RoleHierarchyImpl.fromHierarchy(java.lang.String) instead
org.springframework.security.authorization.event.AuthorizationDeniedEvent(Supplier<Authentication>, T, AuthorizationDecision)	Please use an AuthorizationResult constructor instead
org.springframework.security.authorization.event.AuthorizationGrantedEvent(Supplier<Authentication>, T, AuthorizationDecision)	please use a constructor that takes an AuthorizationResult