Deprecated API

Contents

• Interfaces
• Classes
• Annotation Interfaces
• Methods
• Constructors
• Enum Constants

Deprecated Interfaces

Interface	Description
org.springframework.security.web.header.writers.frameoptions.AllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.util.matcher.RequestVariablesExtractor	use RequestMatcher.MatchResult from RequestMatcher.matcher(HttpServletRequest)

Deprecated Classes

Class	Description
org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator	Use AuthorizationManagerWebInvocationPrivilegeEvaluator instead
org.springframework.security.web.access.expression.WebExpressionVoter	Use WebExpressionAuthorizationManager instead
org.springframework.security.web.access.intercept.FilterSecurityInterceptor	Use AuthorizationFilter instead
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver	Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.web.context.HttpRequestResponseHolder	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest)
org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest) instead.
org.springframework.security.web.context.SecurityContextPersistenceFilter	Use SecurityContextHolderFilter
org.springframework.security.web.csrf.LazyCsrfTokenRepository	Use CsrfTokenRepository.loadDeferredToken(HttpServletRequest, HttpServletResponse) which returns a DeferredCsrfToken
org.springframework.security.web.header.writers.frameoptions.AbstractRequestParameterAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.HpkpHeaderWriter	see Certificate and Public Key Pinning for more context
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter	use ServerFormLoginAuthenticationConverter instead.
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter	Use ServerHttpBasicAuthenticationConverter instead.

Deprecated Annotation Interfaces

Annotation Interface	Description
org.springframework.security.web.bind.annotation.AuthenticationPrincipal	Use AuthenticationPrincipal instead.

Deprecated Methods

Method	Description
org.springframework.security.web.context.SecurityContextRepository.loadContext(HttpRequestResponseHolder)	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest) instead.
org.springframework.security.web.firewall.StrictHttpFirewall.getEncodedUrlBlacklist()	Use StrictHttpFirewall.getEncodedUrlBlocklist() instead
org.springframework.security.web.server.authentication.AuthenticationWebFilter.setAuthenticationConverter(Function<ServerWebExchange, Mono<Authentication>>)	As of 5.1 in favor of AuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation)	Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.util.matcher.AntPathRequestMatcher.extractUriTemplateVariables(HttpServletRequest)

Deprecated Constructors

Constructor	Description
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter(AllowFromStrategy)	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.

Deprecated Enum Constants

Enum Constant	Description
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode.ALLOW_FROM	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.