Deprecated API

Contents

• Interfaces
• Classes
• Annotation Interfaces
• Methods

Deprecated Interfaces

Interface	Description
org.springframework.security.access.AccessDecisionManager	Use AuthorizationManager instead
org.springframework.security.access.AccessDecisionVoter	Use AuthorizationManager instead
org.springframework.security.access.AfterInvocationProvider	Use delegation with AuthorizationManager
org.springframework.security.access.annotation.AnnotationMetadataExtractor	Used only by now-deprecated classes. Consider SecuredAuthorizationManager for `@Secured` methods.
org.springframework.security.access.ConfigAttribute	In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.
org.springframework.security.access.intercept.AfterInvocationManager	Use delegation with AuthorizationManager
org.springframework.security.access.intercept.aspectj.AspectJCallback	This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.
org.springframework.security.access.intercept.RunAsManager	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.method.MethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.prepost.PostInvocationAttribute	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.prepost.PostInvocationAuthorizationAdvice	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.prepost.PreInvocationAttribute	Use AuthorizationManagerBeforeMethodInterceptor instead
org.springframework.security.access.prepost.PreInvocationAuthorizationAdvice	Use AuthorizationManagerBeforeMethodInterceptor instead
org.springframework.security.access.prepost.PrePostInvocationAttributeFactory	Use delegation with AuthorizationManager
org.springframework.security.access.SecurityMetadataSource	In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.
org.springframework.security.messaging.access.intercept.MessageSecurityMetadataSource	Use MessageMatcherDelegatingAuthorizationManager instead
org.springframework.security.web.access.channel.ChannelDecisionManager	no replacement is planned, though consider using a custom RequestMatcher for any sophisticated decision-making
org.springframework.security.web.access.channel.ChannelEntryPoint	please use HttpsRedirectFilter and its associated PortMapper
org.springframework.security.web.access.channel.ChannelProcessor	no replacement is planned, though consider using a custom RequestMatcher for any sophisticated decision-making
org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource	In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.

Deprecated Classes

Class	Description
org.springframework.security.access.annotation.Jsr250MethodSecurityMetadataSource	Use Jsr250AuthorizationManager instead
org.springframework.security.access.annotation.Jsr250SecurityConfig	Use AuthorizationManagerBeforeMethodInterceptor.jsr250() instead
org.springframework.security.access.annotation.Jsr250Voter	Use Jsr250AuthorizationManager instead
org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource	Use AuthorizationManagerBeforeMethodInterceptor.secured()
org.springframework.security.access.event.AbstractAuthorizationEvent	Authorization events have moved. Consider AuthorizationGrantedEvent and AuthorizationDeniedEvent
org.springframework.security.access.event.AuthenticationCredentialsNotFoundEvent	Authentication is now separated from authorization. Consider AbstractAuthenticationFailureEvent instead.
org.springframework.security.access.event.AuthorizationFailureEvent	Use AuthorizationDeniedEvent instead
org.springframework.security.access.event.AuthorizedEvent	Use AuthorizationGrantedEvent instead
org.springframework.security.access.event.LoggerListener	Logging is now embedded in Spring Security components. If you need further logging, please consider using your own ApplicationListener
org.springframework.security.access.event.PublicInvocationEvent	Only used by now-deprecated classes. Consider EventObject.getSource() to deduce public invocations.
org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory	Use AuthorizationManager interceptors instead
org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.intercept.AbstractSecurityInterceptor	Use AuthorizationFilter instead for filter security, AuthorizationChannelInterceptor for messaging security, or AuthorizationManagerBeforeMethodInterceptor and AuthorizationManagerAfterMethodInterceptor for method security.
org.springframework.security.access.intercept.AfterInvocationProviderManager	Use delegation with AuthorizationManager
org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor	Please use AuthorizationManagerBeforeMethodInterceptor and AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor	Use EnableMethodSecurity or publish interceptors directly
org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor	This class will be removed from the public API. Please either use `spring-security-aspects`, Spring Security's method security support or create your own class that uses Spring AOP annotations.
org.springframework.security.access.intercept.aspectj.MethodInvocationAdapter	This class will be removed from the public API. See `JoinPointMethodInvocation` in `spring-security-aspects` for its replacement
org.springframework.security.access.intercept.InterceptorStatusToken	Use delegation with AuthorizationManager
org.springframework.security.access.intercept.MethodInvocationPrivilegeEvaluator	Use AuthorizationManager instead
org.springframework.security.access.intercept.RunAsImplAuthenticationProvider	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.intercept.RunAsManagerImpl	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.intercept.RunAsUserToken	Authentication is now separated from authorization in Spring Security. This class is only used by now-deprecated components. There is not yet an equivalent replacement in Spring Security.
org.springframework.security.access.method.AbstractFallbackMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.method.AbstractMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.method.MapBasedMethodSecurityMetadataSource	Use the use-authorization-manager attribute for <method-security> and <intercept-methods> instead or use annotation-based or AuthorizationManager-based authorization
org.springframework.security.access.prepost.PostInvocationAdviceProvider	Use AuthorizationManagerAfterMethodInterceptor instead
org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter	Use AuthorizationManagerBeforeMethodInterceptor instead
org.springframework.security.access.prepost.PrePostAdviceReactiveMethodInterceptor	Use AuthorizationManagerBeforeReactiveMethodInterceptor or AuthorizationManagerAfterReactiveMethodInterceptor
org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource	Use PreAuthorizeAuthorizationManager and PostAuthorizeAuthorizationManager instead
org.springframework.security.access.SecurityConfig	In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.
org.springframework.security.access.vote.AbstractAccessDecisionManager	Use AuthorizationManager instead
org.springframework.security.access.vote.AbstractAclVoter	Now used by only-deprecated classes. Generally speaking, in-memory ACL is no longer advised, so no replacement is planned at this point.
org.springframework.security.access.vote.AffirmativeBased	Use AuthorizationManager instead
org.springframework.security.access.vote.AuthenticatedVoter	Use AuthorityAuthorizationManager instead
org.springframework.security.access.vote.ConsensusBased	Use AuthorizationManager instead
org.springframework.security.access.vote.RoleHierarchyVoter	Use AuthorityAuthorizationManager.setRoleHierarchy(org.springframework.security.access.hierarchicalroles.RoleHierarchy) instead
org.springframework.security.access.vote.RoleVoter	Use AuthorityAuthorizationManager instead
org.springframework.security.access.vote.UnanimousBased	Use AuthorizationManager instead
org.springframework.security.acls.AclEntryVoter	please use AclPermissionEvaluator instead. Spring Method Security annotations may also prove useful, for example @PreAuthorize("hasPermission(#id, ObjectsReturnType.class, read)")
org.springframework.security.acls.afterinvocation.AbstractAclProvider	please use AclPermissionEvaluator instead. Spring Method Security annotations may also prove useful, for example @PostAuthorize("hasPermission(filterObject, read)")
org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider	please use AclPermissionEvaluator instead. Spring Method Security annotations may also prove useful, for example @PostFilter("hasPermission(filterObject, read)")
org.springframework.security.acls.afterinvocation.AclEntryAfterInvocationProvider	please use AclPermissionEvaluator instead. Spring Method Security annotations may also prove useful, for example @PostAuthorize("hasPermission(filterObject, read)")
org.springframework.security.messaging.access.expression.ExpressionBasedMessageSecurityMetadataSourceFactory	Use MessageMatcherDelegatingAuthorizationManager instead
org.springframework.security.messaging.access.expression.MessageExpressionVoter	Use MessageMatcherDelegatingAuthorizationManager instead
org.springframework.security.messaging.access.intercept.ChannelSecurityInterceptor	Use AuthorizationChannelInterceptor instead
org.springframework.security.messaging.access.intercept.DefaultMessageSecurityMetadataSource	Use MessageMatcherDelegatingAuthorizationManager instead
org.springframework.security.web.access.channel.AbstractRetryEntryPoint	please use HttpsRedirectFilter and its associated PortMapper
org.springframework.security.web.access.channel.ChannelDecisionManagerImpl	no replacement is planned, though consider using a custom RequestMatcher for any sophisticated decision-making
org.springframework.security.web.access.channel.ChannelProcessingFilter	see HttpsRedirectFilter
org.springframework.security.web.access.channel.InsecureChannelProcessor	no replacement is planned, though consider using a custom RequestMatcher for any sophisticated decision-making
org.springframework.security.web.access.channel.RetryWithHttpEntryPoint	please use HttpsRedirectFilter and its associated PortMapper
org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint	please use HttpsRedirectFilter and its associated PortMapper
org.springframework.security.web.access.channel.SecureChannelProcessor	no replacement is planned, though consider using a custom RequestMatcher for any sophisticated decision-making
org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator	Use AuthorizationManagerWebInvocationPrivilegeEvaluator instead
org.springframework.security.web.access.expression.ExpressionBasedFilterInvocationSecurityMetadataSource	In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.
org.springframework.security.web.access.expression.WebExpressionVoter	Use WebExpressionAuthorizationManager instead
org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource	In modern Spring Security APIs, each API manages its own configuration context. As such there is no direct replacement for this interface. In the case of method security, please see SecurityAnnotationScanner and AuthorizationManager. In the case of channel security, please see HttpsRedirectFilter. In the case of web security, please see AuthorizationManager.
org.springframework.security.web.access.intercept.FilterSecurityInterceptor	Use AuthorizationFilter instead

Deprecated Annotation Interfaces

Annotation Interface	Description
org.springframework.security.access.method.P	use @{code org.springframework.security.core.parameters.P}

Deprecated Methods

Method	Description
org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler.setDefaultRolePrefix(String)	Use AbstractSecurityExpressionHandler.setAuthorizationManagerFactory(AuthorizationManagerFactory) instead
org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler.setTrustResolver(AuthenticationTrustResolver)	Use AbstractSecurityExpressionHandler.setAuthorizationManagerFactory(AuthorizationManagerFactory) instead