Deprecated API

Contents

• Terminally Deprecated
• Interfaces
• Classes
• Annotation Interfaces
• Methods
• Constructors
• Enum Constants

Terminally Deprecated Elements

Element	Description
org.springframework.security.web.access.intercept.AuthorizationFilter.setShouldFilterAllDispatcherTypes(boolean)	Permit access to the DispatcherType instead. @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
org.springframework.security.web.savedrequest.SavedCookie(String, String, String, String, int, String, boolean, int)	use SavedCookie(String, String, String, int, String, boolean) instead
org.springframework.security.web.savedrequest.SavedCookie.getComment()
org.springframework.security.web.savedrequest.SavedCookie.getVersion()

Deprecated Interfaces

Interface	Description
org.springframework.security.web.header.writers.frameoptions.AllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.util.matcher.RequestVariablesExtractor	use RequestMatcher.MatchResult from RequestMatcher.matcher(HttpServletRequest)

Deprecated Classes

Class	Description
org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator	Use AuthorizationManagerWebInvocationPrivilegeEvaluator instead
org.springframework.security.web.access.expression.WebExpressionVoter	Use WebExpressionAuthorizationManager instead
org.springframework.security.web.access.intercept.FilterSecurityInterceptor	Use AuthorizationFilter instead
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver	Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.web.context.HttpRequestResponseHolder	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest)
org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest) instead.
org.springframework.security.web.context.SecurityContextPersistenceFilter	Use SecurityContextHolderFilter
org.springframework.security.web.csrf.LazyCsrfTokenRepository	Use CsrfTokenRepository.loadDeferredToken(HttpServletRequest, HttpServletResponse) which returns a DeferredCsrfToken
org.springframework.security.web.header.writers.frameoptions.AbstractRequestParameterAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.HpkpHeaderWriter	see Certificate and Public Key Pinning for more context
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter	use ServerFormLoginAuthenticationConverter instead.
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter	Use ServerHttpBasicAuthenticationConverter instead.

Deprecated Annotation Interfaces

Annotation Interface	Description
org.springframework.security.web.bind.annotation.AuthenticationPrincipal	Use AuthenticationPrincipal instead.

Deprecated Methods

Method	Description
org.springframework.security.web.access.intercept.AuthorizationFilter.setShouldFilterAllDispatcherTypes(boolean)	Permit access to the DispatcherType instead. @Configuration @EnableWebSecurity public class SecurityConfig { @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests((authorize) -> authorize .dispatcherTypeMatchers(DispatcherType.ERROR).permitAll() // ... ); return http.build(); } }
org.springframework.security.web.context.SecurityContextRepository.loadContext(HttpRequestResponseHolder)	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest) instead.
org.springframework.security.web.csrf.CookieCsrfTokenRepository.setCookieDomain(String)	Use CookieCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.csrf.CookieCsrfTokenRepository.setCookieHttpOnly(boolean)	Use CookieCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.csrf.CookieCsrfTokenRepository.setCookieMaxAge(int)	Use CookieCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.csrf.CookieCsrfTokenRepository.setSecure(Boolean)	Use CookieCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.firewall.StrictHttpFirewall.getEncodedUrlBlacklist()	Use StrictHttpFirewall.getEncodedUrlBlocklist() instead
org.springframework.security.web.savedrequest.SavedCookie.getComment()
org.springframework.security.web.savedrequest.SavedCookie.getVersion()
org.springframework.security.web.server.authentication.AuthenticationWebFilter.setAuthenticationConverter(Function<ServerWebExchange, Mono<Authentication>>)	As of 5.1 in favor of AuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository.setCookieDomain(String)	Use CookieServerCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository.setCookieHttpOnly(boolean)	Use CookieServerCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository.setCookieMaxAge(int)	Use CookieServerCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository.setSecure(boolean)	Use CookieServerCsrfTokenRepository.setCookieCustomizer(Consumer) instead.
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher.extractUriTemplateVariables(HttpServletRequest)
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation)	Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.util.matcher.AntPathRequestMatcher.extractUriTemplateVariables(HttpServletRequest)

Deprecated Constructors

Constructor	Description
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter(AllowFromStrategy)	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.savedrequest.SavedCookie(String, String, String, String, int, String, boolean, int)	use SavedCookie(String, String, String, int, String, boolean) instead
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.

Deprecated Enum Constants

Enum Constant	Description
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode.ALLOW_FROM	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.