Deprecated List (spring-security-core 6.5.1 API)

Deprecated Interfaces

Interface

Description

org.springframework.security.access.AccessDecisionManager

Use AuthorizationManager instead

org.springframework.security.access.AccessDecisionVoter

Use AuthorizationManager instead

org.springframework.security.access.AfterInvocationProvider

Use delegation with AuthorizationManager

org.springframework.security.access.annotation.AnnotationMetadataExtractor

Used only by now-deprecated classes. Consider SecuredAuthorizationManager for `@Secured` methods.

org.springframework.security.access.ConfigAttribute

In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.

org.springframework.security.access.intercept.AfterInvocationManager

Use delegation with AuthorizationManager

org.springframework.security.access.intercept.aspectj.AspectJCallback

This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.

org.springframework.security.access.intercept.RunAsManager

Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.

org.springframework.security.access.method.MethodSecurityMetadataSource

Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization

org.springframework.security.access.prepost.PostInvocationAttribute

Use AuthorizationManagerAfterMethodInterceptor instead

org.springframework.security.access.prepost.PostInvocationAuthorizationAdvice

Use AuthorizationManagerAfterMethodInterceptor instead

org.springframework.security.access.prepost.PreInvocationAttribute

Use AuthorizationManagerBeforeMethodInterceptor instead

org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice

Use AuthorizationManagerBeforeMethodInterceptor instead

org.springframework.security.access.prepost.PrePostInvocationAttributeFactory

Use delegation with AuthorizationManager

org.springframework.security.access.SecurityMetadataSource

In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.

Deprecated Classes

Class

Description

org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource

Use Jsr250AuthorizationManager instead

org.springframework.security.access.annotation.Jsr250SecurityConfig

Use AuthorizationManagerBeforeMethodInterceptor.jsr250() instead

org.springframework.security.access.annotation.Jsr250Voter

Use Jsr250AuthorizationManager instead

org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource

Use AuthorizationManagerBeforeMethodInterceptor.secured()

org.springframework.security.access.event.AbstractAuthorizationEvent

Authorization events have moved. Consider AuthorizationGrantedEvent and AuthorizationDeniedEvent

org.springframework.security.access.event.AuthenticationCredentialsNotFoundEvent

Authentication is now separated from authorization. Consider AbstractAuthenticationFailureEvent instead.

org.springframework.security.access.event.AuthorizationFailureEvent

Use AuthorizationDeniedEvent instead

org.springframework.security.access.event.AuthorizedEvent

Use AuthorizationGrantedEvent instead

org.springframework.security.access.event.LoggerListener

Logging is now embedded in Spring Security components. If you need further logging, please consider using your own ApplicationListener

org.springframework.security.access.event.PublicInvocationEvent

Only used by now-deprecated classes. Consider EventObject.getSource() to deduce public invocations.

org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory

Use AuthorizationManager interceptors instead

org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice

Use AuthorizationManagerAfterMethodInterceptor instead

org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice

Use AuthorizationManagerAfterMethodInterceptor instead

org.springframework.security.access.intercept.AbstractSecurityInterceptor

Use org.springframework.security.web.access.intercept.AuthorizationFilter instead for filter security, org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor for messaging security, or AuthorizationManagerBeforeMethodInterceptor and AuthorizationManagerAfterMethodInterceptor for method security.

org.springframework.security.access.intercept.AfterInvocationProviderManager

Use delegation with AuthorizationManager

org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor

Please use AuthorizationManagerBeforeMethodInterceptor and AuthorizationManagerAfterMethodInterceptor instead

org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor

Use EnableMethodSecurity or publish interceptors directly

org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor

This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.

org.springframework.security.access.intercept.aspectj.MethodInvocationAdapter

This class will be removed from the public API. See `JoinPointMethodInvocation` in `spring-security-aspects` for its replacement

org.springframework.security.access.intercept.InterceptorStatusToken

Use delegation with AuthorizationManager

org.springframework.security.access.intercept.MethodInvocationPrivilegeEvaluator

Use AuthorizationManager instead

org.springframework.security.access.intercept.RunAsImplAuthenticationProvider

Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.

org.springframework.security.access.intercept.RunAsManagerImpl

Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.

org.springframework.security.access.intercept.RunAsUserToken

Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.

org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource

Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization

org.springframework.security.access.method.AbstractMethodSecurityMetadataSource

Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization

org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource

Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization

org.springframework.security.access.method.MapBasedMethodSecurityMetadataSource

Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization

org.springframework.security.access.prepost.PostInvocationAdviceProvider

Use AuthorizationManagerAfterMethodInterceptor instead

org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter

Use AuthorizationManagerBeforeMethodInterceptor instead

org.springframework.security.access.prepost.PrePostAdviceReactiveMethodInterceptor

Use AuthorizationManagerBeforeReactiveMethodInterceptor or AuthorizationManagerAfterReactiveMethodInterceptor

org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource

Use PreAuthorizeAuthorizationManager and PostAuthorizeAuthorizationManager instead

org.springframework.security.access.SecurityConfig

In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.

org.springframework.security.access.vote.AbstractAccessDecisionManager

Use AuthorizationManager instead

org.springframework.security.access.vote.AbstractAclVoter

Now used by only-deprecated classes. Generally speaking, in-memory ACL is no longer advised, so no replacement is planned at this point.

org.springframework.security.access.vote.AffirmativeBased

Use AuthorizationManager instead

org.springframework.security.access.vote.AuthenticatedVoter

Use AuthorityAuthorizationManager instead

org.springframework.security.access.vote.ConsensusBased

Use AuthorizationManager instead

org.springframework.security.access.vote.RoleHierarchyVoter

Use AuthorityAuthorizationManager.setRoleHierarchy(org.springframework.security.access.hierarchicalroles.RoleHierarchy) instead

org.springframework.security.access.vote.RoleVoter

Use AuthorityAuthorizationManager instead

org.springframework.security.access.vote.UnanimousBased

Use AuthorizationManager instead

org.springframework.security.authorization.method.ExpressionAttributeAuthorizationDecision

Use ExpressionAuthorizationDecision instead

org.springframework.security.authorization.method.PrePostTemplateDefaults

Please use AnnotationTemplateExpressionDefaults instead

Deprecated Annotation Interfaces

Annotation Interface

Description

org.springframework.security.access.method.P

use @{code org.springframework.security.core.parameters.P}

Deprecated Methods

Method

Description

org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl.setHierarchy(String)

Use RoleHierarchyImpl.fromHierarchy(java.lang.String) instead

org.springframework.security.access.hierarchicalroles.RoleHierarchyUtils.roleHierarchyFromMap(Map<String, List<String>>)

please see RoleHierarchyImpl.setHierarchy(java.lang.String) deprecation notice

org.springframework.security.authentication.dao.DaoAuthenticationProvider.setUserDetailsService(UserDetailsService)

Please provide the UserDetailsService in the constructor

org.springframework.security.authentication.DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Properties)

use DefaultAuthenticationEventPublisher.setAdditionalExceptionMappings(Map)

org.springframework.security.authorization.AuthorityAuthorizationManager.check(Supplier<Authentication>, T)

please use AuthorizationManager.authorize(Supplier, Object) instead

org.springframework.security.authorization.AuthorizationEventPublisher.publishAuthorizationEvent(Supplier<Authentication>, T, AuthorizationDecision)

use AuthorizationEventPublisher.publishAuthorizationEvent(Supplier, Object, AuthorizationResult) instead

org.springframework.security.authorization.AuthorizationManager.check(Supplier<Authentication>, T)

please use AuthorizationManager.authorize(Supplier, Object) instead

org.springframework.security.authorization.AuthorizationObservationContext.getDecision()

please use AuthorizationObservationContext.getAuthorizationResult() instead

org.springframework.security.authorization.AuthorizationObservationContext.setDecision(AuthorizationDecision)

please use AuthorizationObservationContext.setAuthorizationResult(AuthorizationResult) instead

org.springframework.security.authorization.event.AuthorizationEvent.getAuthorizationDecision()

please use AuthorizationEvent.getAuthorizationResult()

org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.addAdvisor(AuthorizationAdvisor)

please provide all advisors in the constructor

org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.setAdvisors(Collection<AuthorizationAdvisor>)

Please use AuthorizationAdvisorProxyFactory.addAdvisor(org.springframework.security.authorization.method.AuthorizationAdvisor) instead

org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.setAdvisors(AuthorizationAdvisor...)

Please use AuthorizationAdvisorProxyFactory.addAdvisor(org.springframework.security.authorization.method.AuthorizationAdvisor) instead

org.springframework.security.authorization.method.Jsr250AuthorizationManager.check(Supplier<Authentication>, MethodInvocation)

please use AuthorizationManager.authorize(Supplier, Object) instead

org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager.setTemplateDefaults(PrePostTemplateDefaults)

Please use PostAuthorizeAuthorizationManager.setTemplateDefaults(AnnotationTemplateExpressionDefaults) instead

org.springframework.security.authorization.method.PostAuthorizeReactiveAuthorizationManager.setTemplateDefaults(PrePostTemplateDefaults)

please use PostAuthorizeReactiveAuthorizationManager.setTemplateDefaults(AnnotationTemplateExpressionDefaults)

org.springframework.security.authorization.method.PostFilterAuthorizationMethodInterceptor.setTemplateDefaults(PrePostTemplateDefaults)

Please use AnnotationTemplateExpressionDefaults instead

org.springframework.security.authorization.method.PostFilterAuthorizationReactiveMethodInterceptor.setTemplateDefaults(PrePostTemplateDefaults)

please use PostFilterAuthorizationReactiveMethodInterceptor.setTemplateDefaults(AnnotationTemplateExpressionDefaults)

org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager.setTemplateDefaults(PrePostTemplateDefaults)

Please use PreAuthorizeAuthorizationManager.setTemplateDefaults(AnnotationTemplateExpressionDefaults) instead

org.springframework.security.authorization.method.PreAuthorizeReactiveAuthorizationManager.setTemplateDefaults(PrePostTemplateDefaults)

please use PreAuthorizeReactiveAuthorizationManager.setTemplateDefaults(AnnotationTemplateExpressionDefaults)

org.springframework.security.authorization.method.PreFilterAuthorizationMethodInterceptor.setTemplateDefaults(PrePostTemplateDefaults)

Please use PreFilterAuthorizationMethodInterceptor.setTemplateDefaults(AnnotationTemplateExpressionDefaults) instead

org.springframework.security.authorization.method.PreFilterAuthorizationReactiveMethodInterceptor.setTemplateDefaults(PrePostTemplateDefaults)

please use PreFilterAuthorizationReactiveMethodInterceptor.setTemplateDefaults(AnnotationTemplateExpressionDefaults)

org.springframework.security.authorization.method.SecuredAuthorizationManager.check(Supplier<Authentication>, MethodInvocation)

please use AuthorizationManager.authorize(Supplier, Object) instead

org.springframework.security.authorization.ObservationAuthorizationManager.check(Supplier<Authentication>, T)

please use AuthorizationManager.authorize(Supplier, Object) instead

org.springframework.security.authorization.ObservationReactiveAuthorizationManager.check(Mono<Authentication>, T)

please use ReactiveAuthorizationManager.authorize(Mono, Object) instead

org.springframework.security.authorization.ReactiveAuthorizationManager.check(Mono<Authentication>, T)

please use ReactiveAuthorizationManager.authorize(Mono, Object) instead

org.springframework.security.core.userdetails.User.withDefaultPasswordEncoder()

Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details. There are no plans to remove this support. It is deprecated to indicate that this is considered insecure for production purposes.

Deprecated Constructors

Constructor

Description

org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl()

Use RoleHierarchyImpl.fromHierarchy(java.lang.String) instead

org.springframework.security.authentication.dao.DaoAuthenticationProvider()

Please provide the UserDetailsService in the constructor

org.springframework.security.authentication.dao.DaoAuthenticationProvider(PasswordEncoder)

Please provide the UserDetailsService in the constructor followed by DaoAuthenticationProvider.setPasswordEncoder(PasswordEncoder) instead

org.springframework.security.authorization.event.AuthorizationDeniedEvent(Supplier<Authentication>, T, AuthorizationDecision)

Please use an AuthorizationResult constructor instead

org.springframework.security.authorization.event.AuthorizationGrantedEvent(Supplier<Authentication>, T, AuthorizationDecision)

please use a constructor that takes an AuthorizationResult