Deprecated API

Contents

• Interfaces
• Classes
• Annotation Interfaces
• Methods
• Constructors
• Enum Constants

Deprecated Interfaces

Interface	Description
org.springframework.security.web.header.writers.frameoptions.AllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.

Deprecated Classes

Class	Description
org.springframework.security.web.access.RequestMatcherDelegatingWebInvocationPrivilegeEvaluator	please use AuthorizationManagerWebInvocationPrivilegeEvaluator and adapt any delegate WebInvocationPrivilegeEvaluators into AuthorizationManagers
org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor	Please use SubjectX500PrincipalExtractor instead
org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver	Use AuthenticationPrincipalArgumentResolver instead.
org.springframework.security.web.context.HttpRequestResponseHolder	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest)
org.springframework.security.web.context.SaveContextOnUpdateOrErrorResponseWrapper	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest) instead.
org.springframework.security.web.context.SecurityContextPersistenceFilter	Use SecurityContextHolderFilter
org.springframework.security.web.header.writers.frameoptions.AbstractRequestParameterAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.header.writers.HpkpHeaderWriter	see Certificate and Public Key Pinning for more context
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter	use ServerFormLoginAuthenticationConverter instead.
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter	Use ServerHttpBasicAuthenticationConverter instead.

Deprecated Annotation Interfaces

Annotation Interface	Description
org.springframework.security.web.bind.annotation.AuthenticationPrincipal	Use AuthenticationPrincipal instead.

Deprecated Methods

Method	Description
org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler.setDefaultRolePrefix(String)	Use AbstractSecurityExpressionHandler.setAuthorizationManagerFactory(AuthorizationManagerFactory) instead
org.springframework.security.web.access.expression.DefaultHttpSecurityExpressionHandler.setTrustResolver(AuthenticationTrustResolver)	Use AbstractSecurityExpressionHandler.setAuthorizationManagerFactory(AuthorizationManagerFactory) instead
org.springframework.security.web.access.expression.WebExpressionAuthorizationManager.setExpressionHandler(SecurityExpressionHandler<RequestAuthorizationContext>)	Please use WebExpressionAuthorizationManager.withDefaults() or WebExpressionAuthorizationManager.withExpressionHandler(org.springframework.security.access.expression.SecurityExpressionHandler<org.springframework.security.web.access.intercept.RequestAuthorizationContext>)
org.springframework.security.web.context.DelegatingSecurityContextRepository.loadContext(HttpRequestResponseHolder)
org.springframework.security.web.context.HttpSessionSecurityContextRepository.loadContext(HttpRequestResponseHolder)	please see SecurityContextRepository.loadContext(org.springframework.security.web.context.HttpRequestResponseHolder)
org.springframework.security.web.context.NullSecurityContextRepository.loadContext(HttpRequestResponseHolder)	please see SecurityContextRepository.loadContext(org.springframework.security.web.context.HttpRequestResponseHolder)
org.springframework.security.web.context.RequestAttributeSecurityContextRepository.loadContext(HttpRequestResponseHolder)	please see SecurityContextRepository.loadContext(org.springframework.security.web.context.HttpRequestResponseHolder)
org.springframework.security.web.context.SecurityContextRepository.loadContext(HttpRequestResponseHolder)	Use SecurityContextRepository.loadDeferredContext(HttpServletRequest) instead.
org.springframework.security.web.firewall.StrictHttpFirewall.getEncodedUrlBlacklist()	Use StrictHttpFirewall.getEncodedUrlBlocklist() instead
org.springframework.security.web.server.authentication.AuthenticationWebFilter.setAuthenticationConverter(Function<ServerWebExchange, Mono<Authentication>>)	As of 5.1 in favor of AuthenticationWebFilter.setServerAuthenticationConverter(ServerAuthenticationConverter)
org.springframework.security.web.server.ServerFormLoginAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter.apply(ServerWebExchange)
org.springframework.security.web.session.ConcurrentSessionFilter.determineExpiredUrl(HttpServletRequest, SessionInformation)	Use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.
org.springframework.security.web.session.ConcurrentSessionFilter.setRedirectStrategy(RedirectStrategy)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) instead.

Deprecated Constructors

Constructor	Description
org.springframework.security.web.access.expression.WebSecurityExpressionRoot(Authentication, FilterInvocation)	Use WebSecurityExpressionRoot(Supplier, RequestAuthorizationContext) instead
org.springframework.security.web.access.expression.WebSecurityExpressionRoot(Supplier<? extends Authentication>, HttpServletRequest)	Use WebSecurityExpressionRoot(Supplier, RequestAuthorizationContext) instead
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter(AllowFromStrategy)	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.
org.springframework.security.web.session.ConcurrentSessionFilter(SessionRegistry, String)	use ConcurrentSessionFilter(SessionRegistry, SessionInformationExpiredStrategy) with SimpleRedirectSessionInformationExpiredStrategy instead.

Deprecated Enum Constants

Enum Constant	Description
org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode.ALLOW_FROM	ALLOW-FROM is an obsolete directive that no longer works in modern browsers. Instead use Content-Security-Policy with the frame-ancestors directive.