Deprecate .and() and non lambda DSL methods

Closes gh-12629

config/src/main/java/org/springframework/security/config/annotation/SecurityConfigurerAdapter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,7 +53,9 @@ public abstract class SecurityConfigurerAdapter<O, B extends SecurityBuilder<O>>
 	 * Return the {@link SecurityBuilder} when done using the {@link SecurityConfigurer}.
 	 * This is useful for method chaining.
 	 * @return the {@link SecurityBuilder} for further customizations
+	 * @deprecated For removal in 7.0. Use the lambda based configuration instead.
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public B and() {
 		return getBuilder();
 	}

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -285,8 +285,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link HeadersConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #headers(Customizer)} instead
 	 * @see HeadersConfigurer
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public HeadersConfigurer<HttpSecurity> headers() throws Exception {
 		return getOrApply(new HeadersConfigurer<>());
 	}
@@ -399,7 +401,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * on the classpath a {@link HandlerMappingIntrospector} is used.
 	 * @return the {@link CorsConfigurer} for customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #cors(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public CorsConfigurer<HttpSecurity> cors() throws Exception {
 		return getOrApply(new CorsConfigurer<>());
 	}
@@ -486,7 +490,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * could return true.
 	 * @return the {@link SessionManagementConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #sessionManagement(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public SessionManagementConfigurer<HttpSecurity> sessionManagement() throws Exception {
 		return getOrApply(new SessionManagementConfigurer<>());
 	}
@@ -608,8 +614,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link PortMapperConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #portMapper(Customizer)} instead
 	 * @see #requiresChannel()
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public PortMapperConfigurer<HttpSecurity> portMapper() throws Exception {
 		return getOrApply(new PortMapperConfigurer<>());
 	}
@@ -739,7 +747,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * Servlet Container's documentation.
 	 * @return the {@link JeeConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #jee(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public JeeConfigurer<HttpSecurity> jee() throws Exception {
 		return getOrApply(new JeeConfigurer<>());
 	}
@@ -850,7 +860,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link X509Configurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #x509(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public X509Configurer<HttpSecurity> x509() throws Exception {
 		return getOrApply(new X509Configurer<>());
 	}
@@ -928,7 +940,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link RememberMeConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #rememberMe(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public RememberMeConfigurer<HttpSecurity> rememberMe() throws Exception {
 		return getOrApply(new RememberMeConfigurer<>());
 	}
@@ -1072,7 +1086,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link ExpressionUrlAuthorizationConfigurer} for further customizations
 	 * @throws Exception
-	 * @deprecated Use {@link #authorizeHttpRequests()} instead
+	 * @deprecated For removal in 7.0. Use {@link #authorizeHttpRequests()} instead
 	 */
 	@Deprecated
 	public ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry authorizeRequests()
@@ -1187,7 +1201,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * for the {@link ExpressionUrlAuthorizationConfigurer.ExpressionInterceptUrlRegistry}
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
-	 * @deprecated Use {@link #authorizeHttpRequests} instead
+	 * @deprecated For removal in 7.0. Use {@link #authorizeHttpRequests} instead
 	 */
 	@Deprecated
 	public HttpSecurity authorizeRequests(
@@ -1302,7 +1316,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
 	 * @since 5.6
+	 * @deprecated For removal in 7.0. Use {@link #authorizeHttpRequests(Customizer)}
+	 * instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public AuthorizeHttpRequestsConfigurer<HttpSecurity>.AuthorizationManagerRequestMatcherRegistry authorizeHttpRequests()
 			throws Exception {
 		ApplicationContext context = getContext();
@@ -1434,7 +1451,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * when using {@link EnableWebSecurity}.
 	 * @return the {@link RequestCacheConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #requestCache(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public RequestCacheConfigurer<HttpSecurity> requestCache() throws Exception {
 		return getOrApply(new RequestCacheConfigurer<>());
 	}
@@ -1485,7 +1504,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * {@link EnableWebSecurity}.
 	 * @return the {@link ExceptionHandlingConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #exceptionHandling(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling() throws Exception {
 		return getOrApply(new ExceptionHandlingConfigurer<>());
 	}
@@ -1537,7 +1558,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * automatically applied when using {@link EnableWebSecurity}.
 	 * @return the {@link SecurityContextConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #securityContext(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public SecurityContextConfigurer<HttpSecurity> securityContext() throws Exception {
 		return getOrApply(new SecurityContextConfigurer<>());
 	}
@@ -1582,7 +1605,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * {@link EnableWebSecurity}.
 	 * @return the {@link ServletApiConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #servletApi(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public ServletApiConfigurer<HttpSecurity> servletApi() throws Exception {
 		return getOrApply(new ServletApiConfigurer<>());
 	}
@@ -1638,7 +1663,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link CsrfConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #csrf(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public CsrfConfigurer<HttpSecurity> csrf() throws Exception {
 		ApplicationContext context = getContext();
 		return getOrApply(new CsrfConfigurer<>(context));
@@ -1713,7 +1740,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link LogoutConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #logout(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public LogoutConfigurer<HttpSecurity> logout() throws Exception {
 		return getOrApply(new LogoutConfigurer<>());
 	}
@@ -1852,7 +1881,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link AnonymousConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #anonymous(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public AnonymousConfigurer<HttpSecurity> anonymous() throws Exception {
 		return getOrApply(new AnonymousConfigurer<>());
 	}
@@ -2015,8 +2046,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link FormLoginConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #formLogin(Customizer)} instead
 	 * @see FormLoginConfigurer#loginPage(String)
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public FormLoginConfigurer<HttpSecurity> formLogin() throws Exception {
 		return getOrApply(new FormLoginConfigurer<>());
 	}
@@ -2191,7 +2224,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link Saml2LoginConfigurer} for further customizations
 	 * @throws Exception
 	 * @since 5.2
+	 * @deprecated For removal in 7.0. Use {@link #saml2Login(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public Saml2LoginConfigurer<HttpSecurity> saml2Login() throws Exception {
 		return getOrApply(new Saml2LoginConfigurer<>());
 	}
@@ -2421,7 +2456,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link Saml2LoginConfigurer} for further customizations
 	 * @throws Exception
 	 * @since 5.6
+	 * @deprecated For removal in 7.0. Use {@link #saml2Logout(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public Saml2LogoutConfigurer<HttpSecurity> saml2Logout() throws Exception {
 		return getOrApply(new Saml2LogoutConfigurer<>(getContext()));
 	}
@@ -2517,7 +2554,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link Saml2MetadataConfigurer} for further customizations
 	 * @throws Exception
 	 * @since 6.1
+	 * @deprecated For removal in 7.0. Use {@link #saml2Metadata(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public Saml2MetadataConfigurer<HttpSecurity> saml2Metadata() throws Exception {
 		return getOrApply(new Saml2MetadataConfigurer<>(getContext()));
 	}
@@ -2608,6 +2647,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link OAuth2LoginConfigurer} for further customizations
 	 * @throws Exception
 	 * @since 5.0
+	 * @deprecated For removal in 7.0. Use {@link #oauth2Login(Customizer)} instead
 	 * @see <a target="_blank" href=
 	 * "https://tools.ietf.org/html/rfc6749#section-4.1">Section 4.1 Authorization Code
 	 * Grant</a>
@@ -2617,6 +2657,7 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @see org.springframework.security.oauth2.client.registration.ClientRegistration
 	 * @see org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public OAuth2LoginConfigurer<HttpSecurity> oauth2Login() throws Exception {
 		return getOrApply(new OAuth2LoginConfigurer<>());
 	}
@@ -2729,10 +2770,12 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link OAuth2ClientConfigurer} for further customizations
 	 * @throws Exception
 	 * @since 5.1
+	 * @deprecated For removal in 7.0. Use {@link #oauth2Client(Customizer)} instead
 	 * @see <a target="_blank" href=
 	 * "https://tools.ietf.org/html/rfc6749#section-1.1">OAuth 2.0 Authorization
 	 * Framework</a>
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public OAuth2ClientConfigurer<HttpSecurity> oauth2Client() throws Exception {
 		OAuth2ClientConfigurer<HttpSecurity> configurer = getOrApply(new OAuth2ClientConfigurer<>());
 		this.postProcess(configurer);
@@ -2783,10 +2826,13 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * @return the {@link OAuth2ResourceServerConfigurer} for further customizations
 	 * @throws Exception
 	 * @since 5.1
+	 * @deprecated For removal in 7.0. Use {@link #oauth2ResourceServer(Customizer)}
+	 * instead
 	 * @see <a target="_blank" href=
 	 * "https://tools.ietf.org/html/rfc6749#section-1.1">OAuth 2.0 Authorization
 	 * Framework</a>
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public OAuth2ResourceServerConfigurer<HttpSecurity> oauth2ResourceServer() throws Exception {
 		OAuth2ResourceServerConfigurer<HttpSecurity> configurer = getOrApply(
 				new OAuth2ResourceServerConfigurer<>(getContext()));
@@ -2884,7 +2930,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link ChannelSecurityConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #requiresChannel(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public ChannelSecurityConfigurer<HttpSecurity>.ChannelRequestMatcherRegistry requiresChannel() throws Exception {
 		ApplicationContext context = getContext();
 		return getOrApply(new ChannelSecurityConfigurer<>(context)).getRegistry();
@@ -2979,7 +3027,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * </pre>
 	 * @return the {@link HttpBasicConfigurer} for further customizations
 	 * @throws Exception
+	 * @deprecated For removal in 7.0. Use {@link #httpBasic(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public HttpBasicConfigurer<HttpSecurity> httpBasic() throws Exception {
 		return getOrApply(new HttpBasicConfigurer<>());
 	}
@@ -3308,7 +3358,9 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 	 * }
 	 * </pre>
 	 * @return the {@link RequestMatcherConfigurer} for further customizations
+	 * @deprecated For removal in 7.0. Use {@link #securityMatchers(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public RequestMatcherConfigurer securityMatchers() {
 		return this.requestMatcherConfigurer;
 	}
@@ -3566,7 +3618,28 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
 		/**
 		 * Return the {@link HttpSecurity} for further customizations
 		 * @return the {@link HttpSecurity} for further customizations
+		 * @deprecated Use the lambda based configuration instead. For example: <pre>
+		 * &#064;Configuration
+		 * &#064;EnableWebSecurity
+		 * public class SecurityConfig {
+		 *
+		 *     &#064;Bean
+		 *     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		 *         http
+		 *             .securityMatchers((matchers) -&gt; matchers
+		 *                 .requestMatchers(&quot;/api/**&quot;)
+		 *             )
+		 *             .authorizeHttpRequests((authorize) -&gt; authorize
+		 *                 .anyRequest().hasRole(&quot;USER&quot;)
+		 *             )
+		 *             .httpBasic(Customizer.withDefaults());
+		 *         return http.build();
+		 *     }
+		 *
+		 * }
+		 * </pre>
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HttpSecurity and() {
 			return HttpSecurity.this;
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/AuthorizeHttpRequestsConfigurer.java

@@ -222,7 +222,9 @@ public final class AuthorizeHttpRequestsConfigurer<H extends HttpSecurityBuilder
 		 * Return the {@link HttpSecurityBuilder} when done using the
 		 * {@link AuthorizeHttpRequestsConfigurer}. This is useful for method chaining.
 		 * @return the {@link HttpSecurityBuilder} for further customizations
+		 * @deprecated For removal in 7.0. Use the lambda based configuration instead.
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public H and() {
 			return AuthorizeHttpRequestsConfigurer.this.and();
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/ChannelSecurityConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@ import java.util.List;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityBuilder;
 import org.springframework.security.config.annotation.SecurityConfigurer;
@@ -194,7 +195,10 @@ public final class ChannelSecurityConfigurer<H extends HttpSecurityBuilder<H>>
 		 * Return the {@link SecurityBuilder} when done using the
 		 * {@link SecurityConfigurer}. This is useful for method chaining.
 		 * @return the type of {@link HttpSecurityBuilder} that is being configured
+		 * @deprecated For removal in 7.0. Use
+		 * {@link HttpSecurity#requiresChannel(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public H and() {
 			return ChannelSecurityConfigurer.this.and();
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -135,7 +135,9 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * X-Content-Type-Options: nosniff
 	 * </pre>
 	 * @return the {@link ContentTypeOptionsConfig} for additional customizations
+	 * @deprecated For removal in 7.0. Use {@link #contentTypeOptions(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public ContentTypeOptionsConfig contentTypeOptions() {
 		return this.contentTypeOptions.enable();
 	}
@@ -166,7 +168,9 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * >X-XSS-Protection header</a>
 	 * </p>
 	 * @return the {@link XXssConfig} for additional customizations
+	 * @deprecated For removal in 7.0. Use {@link #xssProtection(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public XXssConfig xssProtection() {
 		return this.xssProtection.enable();
 	}
@@ -197,7 +201,9 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * <li>Expires: 0</li>
 	 * </ul>
 	 * @return the {@link CacheControlConfig} for additional customizations
+	 * @deprecated For removal in 7.0. Use {@link #cacheControl(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public CacheControlConfig cacheControl() {
 		return this.cacheControl.enable();
 	}
@@ -224,7 +230,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * <a href="https://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security
 	 * (HSTS)</a>.
 	 * @return the {@link HstsConfig} for additional customizations
+	 * @deprecated For removal in 7.0. Use
+	 * {@link #httpStrictTransportSecurity(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public HstsConfig httpStrictTransportSecurity() {
 		return this.hsts.enable();
 	}
@@ -245,7 +254,9 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	/**
 	 * Allows customizing the {@link XFrameOptionsHeaderWriter}.
 	 * @return the {@link FrameOptionsConfig} for additional customizations
+	 * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public FrameOptionsConfig frameOptions() {
 		return this.frameOptions.enable();
 	}
@@ -315,8 +326,11 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @return the {@link ContentSecurityPolicyConfig} for additional configuration
 	 * @throws IllegalArgumentException if policyDirectives is null or empty
 	 * @since 4.1
+	 * @deprecated For removal in 7.0. Use {@link #contentSecurityPolicy(Customizer)}
+	 * instead
 	 * @see ContentSecurityPolicyHeaderWriter
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives) {
 		this.contentSecurityPolicy.writer = new ContentSecurityPolicyHeaderWriter(policyDirectives);
 		return this.contentSecurityPolicy;
@@ -446,8 +460,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * </pre>
 	 * @return the {@link ReferrerPolicyConfig} for additional configuration
 	 * @since 4.2
+	 * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} instead
 	 * @see ReferrerPolicyHeaderWriter
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public ReferrerPolicyConfig referrerPolicy() {
 		this.referrerPolicy.writer = new ReferrerPolicyHeaderWriter();
 		return this.referrerPolicy;
@@ -469,8 +485,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @return the {@link ReferrerPolicyConfig} for additional configuration
 	 * @throws IllegalArgumentException if policy is null or empty
 	 * @since 4.2
+	 * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} instead
 	 * @see ReferrerPolicyHeaderWriter
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public ReferrerPolicyConfig referrerPolicy(ReferrerPolicy policy) {
 		this.referrerPolicy.writer = new ReferrerPolicyHeaderWriter(policy);
 		return this.referrerPolicy;
@@ -512,7 +530,7 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * @return the {@link FeaturePolicyConfig} for additional configuration
 	 * @throws IllegalArgumentException if policyDirectives is {@code null} or empty
 	 * @since 5.1
-	 * @deprecated Use {@link #permissionsPolicy(Customizer)} instead.
+	 * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)} instead.
 	 * @seeObjectPostProcessorConfiguration FeaturePolicyHeaderWriter
 	 */
 	@Deprecated
@@ -537,8 +555,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * </ul>
 	 * @return the {@link PermissionsPolicyConfig} for additional configuration
 	 * @since 5.5
+	 * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)} instead
 	 * @see PermissionsPolicyHeaderWriter
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public PermissionsPolicyConfig permissionsPolicy() {
 		this.permissionsPolicy.writer = new PermissionsPolicyHeaderWriter();
 		return this.permissionsPolicy;
@@ -575,8 +595,11 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * </p>
 	 * @return the {@link CrossOriginOpenerPolicyConfig} for additional confniguration
 	 * @since 5.7
+	 * @deprecated For removal in 7.0. Use {@link #crossOriginOpenerPolicy(Customizer)}
+	 * instead
 	 * @see CrossOriginOpenerPolicyHeaderWriter
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public CrossOriginOpenerPolicyConfig crossOriginOpenerPolicy() {
 		this.crossOriginOpenerPolicy.writer = new CrossOriginOpenerPolicyHeaderWriter();
 		return this.crossOriginOpenerPolicy;
@@ -616,8 +639,11 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * </p>
 	 * @return the {@link CrossOriginEmbedderPolicyConfig} for additional customizations
 	 * @since 5.7
+	 * @deprecated For removal in 7.0. Use {@link #crossOriginEmbedderPolicy(Customizer)}
+	 * instead
 	 * @see CrossOriginEmbedderPolicyHeaderWriter
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public CrossOriginEmbedderPolicyConfig crossOriginEmbedderPolicy() {
 		this.crossOriginEmbedderPolicy.writer = new CrossOriginEmbedderPolicyHeaderWriter();
 		return this.crossOriginEmbedderPolicy;
@@ -657,8 +683,11 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 	 * </p>
 	 * @return the {@link HeadersConfigurer} for additional customizations
 	 * @since 5.7
+	 * @deprecated For removal in 7.0. Use {@link #crossOriginResourcePolicy(Customizer)}
+	 * instead
 	 * @see CrossOriginResourcePolicyHeaderWriter
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public CrossOriginResourcePolicyConfig crossOriginResourcePolicy() {
 		this.crossOriginResourcePolicy.writer = new CrossOriginResourcePolicyHeaderWriter();
 		return this.crossOriginResourcePolicy;
@@ -708,7 +737,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		/**
 		 * Allows customizing the {@link HeadersConfigurer}
 		 * @return the {@link HeadersConfigurer} for additional customization
+		 * @deprecated For removal in 7.0. Use {@link #contentTypeOptions(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
@@ -781,7 +813,9 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 * Allows completing configuration of X-XSS-Protection and continuing
 		 * configuration of headers.
 		 * @return the {@link HeadersConfigurer} for additional configuration
+		 * @deprecated For removal in 7.0. Use {@link #xssProtection(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
@@ -820,7 +854,9 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 * Allows completing configuration of Cache Control and continuing configuration
 		 * of headers.
 		 * @return the {@link HeadersConfigurer} for additional configuration
+		 * @deprecated For removal in 7.0. Use {@link #cacheControl(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
@@ -926,7 +962,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 * Allows completing configuration of Strict Transport Security and continuing
 		 * configuration of headers.
 		 * @return the {@link HeadersConfigurer} for additional configuration
+		 * @deprecated For removal in 7.0. Use
+		 * {@link #httpStrictTransportSecurity(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
@@ -987,7 +1026,9 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		/**
 		 * Allows continuing customizing the headers configuration.
 		 * @return the {@link HeadersConfigurer} for additional configuration
+		 * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
@@ -1210,7 +1251,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 * Allows completing configuration of Content Security Policy and continuing
 		 * configuration of headers.
 		 * @return the {@link HeadersConfigurer} for additional configuration
+		 * @deprecated For removal in 7.0. Use {@link #contentSecurityPolicy(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
@@ -1235,6 +1279,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
+		/**
+		 * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)} instead
+		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
@@ -1281,7 +1329,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 * Allows completing configuration of Permissions Policy and continuing
 		 * configuration of headers.
 		 * @return the {@link HeadersConfigurer} for additional configuration
+		 * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
@@ -1311,7 +1362,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 * Allows completing configuration of Cross Origin Opener Policy and continuing
 		 * configuration of headers.
 		 * @return the {@link HeadersConfigurer} for additional configuration
+		 * @deprecated For removal in 7.0. Use
+		 * {@link #crossOriginOpenerPolicy(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
@@ -1342,7 +1396,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 * Allows completing configuration of Cross-Origin-Embedder-Policy and continuing
 		 * configuration of headers.
 		 * @return the {@link HeadersConfigurer} for additional configuration
+		 * @deprecated For removal in 7.0. Use
+		 * {@link #crossOriginEmbedderPolicy(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}
@@ -1373,7 +1430,10 @@ public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
 		 * Allows completing configuration of Cross-Origin-Resource-Policy and continuing
 		 * configuration of headers.
 		 * @return the {@link HeadersConfigurer} for additional configuration
+		 * @deprecated For removal in 7.0. Use
+		 * {@link #crossOriginResourcePolicy(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HeadersConfigurer<H> and() {
 			return HeadersConfigurer.this;
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -769,7 +769,10 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 		/**
 		 * Used to chain back to the {@link SessionManagementConfigurer}
 		 * @return the {@link SessionManagementConfigurer} for further customizations
+		 * @deprecated For removal in 7.0. Use {@link #sessionConcurrency(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public SessionManagementConfigurer<H> and() {
 			return SessionManagementConfigurer.this;
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -136,7 +136,10 @@ public final class OAuth2ClientConfigurer<B extends HttpSecurityBuilder<B>>
 	 * Returns the {@link AuthorizationCodeGrantConfigurer} for configuring the OAuth 2.0
 	 * Authorization Code Grant.
 	 * @return the {@link AuthorizationCodeGrantConfigurer}
+	 * @deprecated For removal in 7.0. Use {@link #authorizationCodeGrant(Customizer)}
+	 * instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public AuthorizationCodeGrantConfigurer authorizationCodeGrant() {
 		return this.authorizationCodeGrantConfigurer;
 	}
@@ -233,7 +236,10 @@ public final class OAuth2ClientConfigurer<B extends HttpSecurityBuilder<B>>
 		/**
 		 * Returns the {@link OAuth2ClientConfigurer} for further configuration.
 		 * @return the {@link OAuth2ClientConfigurer}
+		 * @deprecated For removal in 7.0. Use {@link #authorizationCodeGrant(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public OAuth2ClientConfigurer<B> and() {
 			return OAuth2ClientConfigurer.this;
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -206,7 +206,10 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	 * Returns the {@link AuthorizationEndpointConfig} for configuring the Authorization
 	 * Server's Authorization Endpoint.
 	 * @return the {@link AuthorizationEndpointConfig}
+	 * @deprecated For removal in 7.0. Use {@link #authorizationEndpoint(Customizer)}
+	 * instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public AuthorizationEndpointConfig authorizationEndpoint() {
 		return this.authorizationEndpointConfig;
 	}
@@ -227,7 +230,9 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	 * Returns the {@link TokenEndpointConfig} for configuring the Authorization Server's
 	 * Token Endpoint.
 	 * @return the {@link TokenEndpointConfig}
+	 * @deprecated For removal in 7.0. Use {@link #tokenEndpoint(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public TokenEndpointConfig tokenEndpoint() {
 		return this.tokenEndpointConfig;
 	}
@@ -248,7 +253,10 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	 * Returns the {@link RedirectionEndpointConfig} for configuring the Client's
 	 * Redirection Endpoint.
 	 * @return the {@link RedirectionEndpointConfig}
+	 * @deprecated For removal in 7.0. Use {@link #redirectionEndpoint(Customizer)}
+	 * instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public RedirectionEndpointConfig redirectionEndpoint() {
 		return this.redirectionEndpointConfig;
 	}
@@ -269,7 +277,9 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 	 * Returns the {@link UserInfoEndpointConfig} for configuring the Authorization
 	 * Server's UserInfo Endpoint.
 	 * @return the {@link UserInfoEndpointConfig}
+	 * @deprecated For removal in 7.0. Use {@link #userInfoEndpoint(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public UserInfoEndpointConfig userInfoEndpoint() {
 		return this.userInfoEndpointConfig;
 	}
@@ -590,7 +600,10 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		/**
 		 * Returns the {@link OAuth2LoginConfigurer} for further configuration.
 		 * @return the {@link OAuth2LoginConfigurer}
+		 * @deprecated For removal in 7.0. Use {@link #authorizationEndpoint(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public OAuth2LoginConfigurer<B> and() {
 			return OAuth2LoginConfigurer.this;
 		}
@@ -624,7 +637,9 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		/**
 		 * Returns the {@link OAuth2LoginConfigurer} for further configuration.
 		 * @return the {@link OAuth2LoginConfigurer}
+		 * @deprecated For removal in 7.0. Use {@link #tokenEndpoint(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public OAuth2LoginConfigurer<B> and() {
 			return OAuth2LoginConfigurer.this;
 		}
@@ -656,7 +671,10 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		/**
 		 * Returns the {@link OAuth2LoginConfigurer} for further configuration.
 		 * @return the {@link OAuth2LoginConfigurer}
+		 * @deprecated For removal in 7.0. Use {@link #redirectionEndpoint(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public OAuth2LoginConfigurer<B> and() {
 			return OAuth2LoginConfigurer.this;
 		}
@@ -718,7 +736,10 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		/**
 		 * Returns the {@link OAuth2LoginConfigurer} for further configuration.
 		 * @return the {@link OAuth2LoginConfigurer}
+		 * @deprecated For removal in 7.0. Use {@link #userInfoEndpoint(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public OAuth2LoginConfigurer<B> and() {
 			return OAuth2LoginConfigurer.this;
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -198,6 +198,10 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		return this;
 	}
 
+	/**
+	 * @deprecated For removal in 7.0. Use {@link #jwt(Customizer)} instead
+	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public JwtConfigurer jwt() {
 		if (this.jwtConfigurer == null) {
 			this.jwtConfigurer = new JwtConfigurer(this.context);
@@ -219,6 +223,10 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		return this;
 	}
 
+	/**
+	 * @deprecated For removal in 7.0. Use {@link #opaqueToken(Customizer)} instead
+	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public OpaqueTokenConfigurer opaqueToken() {
 		if (this.opaqueTokenConfigurer == null) {
 			this.opaqueTokenConfigurer = new OpaqueTokenConfigurer(this.context);
@@ -394,6 +402,10 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 			return this;
 		}
 
+		/**
+		 * @deprecated For removal in 7.0. Use {@link #jwt(Customizer)} instead
+		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public OAuth2ResourceServerConfigurer<H> and() {
 			return OAuth2ResourceServerConfigurer.this;
 		}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LogoutConfigurer.java

@@ -168,7 +168,9 @@ public final class Saml2LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 	/**
 	 * Get configurer for SAML 2.0 Logout Request components
 	 * @return the {@link LogoutRequestConfigurer} for further customizations
+	 * @deprecated For removal in 7.0. Use {@link #logoutRequest(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public LogoutRequestConfigurer logoutRequest() {
 		return this.logoutRequestConfigurer;
 	}
@@ -188,13 +190,15 @@ public final class Saml2LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 	/**
 	 * Get configurer for SAML 2.0 Logout Response components
 	 * @return the {@link LogoutResponseConfigurer} for further customizations
+	 * @deprecated For removal in 7.0. Use {@link #logoutResponse(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public LogoutResponseConfigurer logoutResponse() {
 		return this.logoutResponseConfigurer;
 	}
 
 	/**
-	 * Configures SAML 2.0 Logout Request components
+	 * Configures SAML 2.0 Logout Response components
 	 * @param logoutResponseConfigurerCustomizer the {@link Customizer} to provide more
 	 * options for the {@link LogoutResponseConfigurer}
 	 * @return the {@link Saml2LogoutConfigurer} for further customizations
@@ -371,6 +375,10 @@ public final class Saml2LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
+		/**
+		 * @deprecated For removal in 7.0. Use {@link #logoutRequest(Customizer)} instead
+		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public Saml2LogoutConfigurer<H> and() {
 			return Saml2LogoutConfigurer.this;
 		}
@@ -439,6 +447,10 @@ public final class Saml2LogoutConfigurer<H extends HttpSecurityBuilder<H>>
 			return this;
 		}
 
+		/**
+		 * @deprecated For removal in 7.0. Use {@link #logoutResponse(Customizer)} instead
+		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public Saml2LogoutConfigurer<H> and() {
 			return Saml2LogoutConfigurer.this;
 		}

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -421,7 +421,9 @@ public class ServerHttpSecurity {
 	 * 	}
 	 * </pre>
 	 * @return the {@link HttpsRedirectSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #redirectToHttps(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public HttpsRedirectSpec redirectToHttps() {
 		this.httpsRedirectSpec = new HttpsRedirectSpec();
 		return this.httpsRedirectSpec;
@@ -502,7 +504,9 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link CsrfSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #csrf(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public CsrfSpec csrf() {
 		if (this.csrf == null) {
 			this.csrf = new CsrfSpec();
@@ -566,7 +570,9 @@ public class ServerHttpSecurity {
 	 * used instead. If neither has been configured, the Cors configuration will do
 	 * nothing.
 	 * @return the {@link CorsSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #cors(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public CorsSpec cors() {
 		if (this.cors == null) {
 			this.cors = new CorsSpec();
@@ -608,7 +614,9 @@ public class ServerHttpSecurity {
 	 * </pre>
 	 * @return the {@link AnonymousSpec} to customize
 	 * @since 5.2.0
+	 * @deprecated For removal in 7.0. Use {@link #anonymous(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public AnonymousSpec anonymous() {
 		if (this.anonymous == null) {
 			this.anonymous = new AnonymousSpec();
@@ -662,7 +670,9 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link HttpBasicSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #httpBasic(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public HttpBasicSpec httpBasic() {
 		if (this.httpBasic == null) {
 			this.httpBasic = new HttpBasicSpec();
@@ -714,7 +724,9 @@ public class ServerHttpSecurity {
 	 * </pre>
 	 * @return the {@link PasswordManagementSpec} to customize
 	 * @since 5.6
+	 * @deprecated For removal in 7.0. Use {@link #passwordManagement(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public PasswordManagementSpec passwordManagement() {
 		if (this.passwordManagement == null) {
 			this.passwordManagement = new PasswordManagementSpec();
@@ -771,7 +783,9 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link FormLoginSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #formLogin(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public FormLoginSpec formLogin() {
 		if (this.formLogin == null) {
 			this.formLogin = new FormLoginSpec();
@@ -832,7 +846,9 @@ public class ServerHttpSecurity {
 	 * {@link ReactivePreAuthenticatedAuthenticationManager} will be used.
 	 * @return the {@link X509Spec} to customize
 	 * @since 5.2
+	 * @deprecated For removal in 7.0. Use {@link #x509(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public X509Spec x509() {
 		if (this.x509 == null) {
 			this.x509 = new X509Spec();
@@ -889,7 +905,9 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link OAuth2LoginSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #oauth2Login(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public OAuth2LoginSpec oauth2Login() {
 		if (this.oauth2Login == null) {
 			this.oauth2Login = new OAuth2LoginSpec();
@@ -941,7 +959,9 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link OAuth2ClientSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #oauth2Client(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public OAuth2ClientSpec oauth2Client() {
 		if (this.client == null) {
 			this.client = new OAuth2ClientSpec();
@@ -992,7 +1012,10 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link OAuth2ResourceServerSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #oauth2ResourceServer(Customizer)}
+	 * instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public OAuth2ResourceServerSpec oauth2ResourceServer() {
 		if (this.resourceServer == null) {
 			this.resourceServer = new OAuth2ResourceServerSpec();
@@ -1064,7 +1087,9 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link HeaderSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #headers(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public HeaderSpec headers() {
 		if (this.headers == null) {
 			this.headers = new HeaderSpec();
@@ -1138,7 +1163,9 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link ExceptionHandlingSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #exceptionHandling(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public ExceptionHandlingSpec exceptionHandling() {
 		if (this.exceptionHandling == null) {
 			this.exceptionHandling = new ExceptionHandlingSpec();
@@ -1204,7 +1231,9 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link AuthorizeExchangeSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #authorizeExchange(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public AuthorizeExchangeSpec authorizeExchange() {
 		if (this.authorizeExchange == null) {
 			this.authorizeExchange = new AuthorizeExchangeSpec();
@@ -1273,7 +1302,9 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link LogoutSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #logout(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public LogoutSpec logout() {
 		if (this.logout == null) {
 			this.logout = new LogoutSpec();
@@ -1330,7 +1361,9 @@ public class ServerHttpSecurity {
 	 *  }
 	 * </pre>
 	 * @return the {@link RequestCacheSpec} to customize
+	 * @deprecated For removal in 7.0. Use {@link #requestCache(Customizer)} instead
 	 */
+	@Deprecated(since = "6.1", forRemoval = true)
 	public RequestCacheSpec requestCache() {
 		return this.requestCache;
 	}
@@ -1603,7 +1636,10 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #authorizeExchange(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -1801,7 +1837,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated use {@link #redirectToHttps(Customizer)}
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -1879,7 +1917,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #csrf(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -1945,7 +1985,10 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #exceptionHandling(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -1987,7 +2030,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #requestCache(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -2083,7 +2128,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #httpBasic(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -2156,7 +2203,10 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}.
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #passwordManagement(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -2314,7 +2364,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #formLogin(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -2438,7 +2490,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #headers(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -2455,7 +2509,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures cache control headers
 		 * @return the {@link CacheSpec} to configure
+		 * @deprecated For removal in 7.0. Use {@link #cache(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public CacheSpec cache() {
 			return new CacheSpec();
 		}
@@ -2474,7 +2530,10 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures content type response headers
 		 * @return the {@link ContentTypeOptionsSpec} to configure
+		 * @deprecated For removal in 7.0. Use {@link #contentTypeOptions(Customizer)}
+		 * instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ContentTypeOptionsSpec contentTypeOptions() {
 			return new ContentTypeOptionsSpec();
 		}
@@ -2493,7 +2552,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures frame options response headers
 		 * @return the {@link FrameOptionsSpec} to configure
+		 * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public FrameOptionsSpec frameOptions() {
 			return new FrameOptionsSpec();
 		}
@@ -2525,7 +2586,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures the Strict Transport Security response headers
 		 * @return the {@link HstsSpec} to configure
+		 * @deprecated For removal in 7.0. Use {@link #hsts(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public HstsSpec hsts() {
 			return new HstsSpec();
 		}
@@ -2550,7 +2613,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures x-xss-protection response header.
 		 * @return the {@link XssProtectionSpec} to configure
+		 * @deprecated For removal in 7.0. Use {@link #xssProtection(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public XssProtectionSpec xssProtection() {
 			return new XssProtectionSpec();
 		}
@@ -2570,7 +2635,10 @@ public class ServerHttpSecurity {
 		 * Configures {@code Content-Security-Policy} response header.
 		 * @param policyDirectives the policy directive(s)
 		 * @return the {@link ContentSecurityPolicySpec} to configure
+		 * @deprecated For removal in 7.0. Use {@link #contentSecurityPolicy(Customizer)}
+		 * instead.
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ContentSecurityPolicySpec contentSecurityPolicy(String policyDirectives) {
 			return new ContentSecurityPolicySpec(policyDirectives);
 		}
@@ -2590,7 +2658,8 @@ public class ServerHttpSecurity {
 		 * Configures {@code Feature-Policy} response header.
 		 * @param policyDirectives the policy
 		 * @return the {@link FeaturePolicySpec} to configure
-		 * @deprecated Use {@link #permissionsPolicy(Customizer)} instead.
+		 * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)}
+		 * instead.
 		 */
 		@Deprecated
 		public FeaturePolicySpec featurePolicy(String policyDirectives) {
@@ -2600,7 +2669,10 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures {@code Permissions-Policy} response header.
 		 * @return the {@link PermissionsPolicySpec} to configure
+		 * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)}
+		 * instead.
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public PermissionsPolicySpec permissionsPolicy() {
 			return new PermissionsPolicySpec();
 		}
@@ -2620,7 +2692,10 @@ public class ServerHttpSecurity {
 		 * Configures {@code Referrer-Policy} response header.
 		 * @param referrerPolicy the policy to use
 		 * @return the {@link ReferrerPolicySpec} to configure
+		 * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)}
+		 * instead.
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ReferrerPolicySpec referrerPolicy(ReferrerPolicy referrerPolicy) {
 			return new ReferrerPolicySpec(referrerPolicy);
 		}
@@ -2628,7 +2703,10 @@ public class ServerHttpSecurity {
 		/**
 		 * Configures {@code Referrer-Policy} response header.
 		 * @return the {@link ReferrerPolicySpec} to configure
+		 * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)}
+		 * instead.
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ReferrerPolicySpec referrerPolicy() {
 			return new ReferrerPolicySpec();
 		}
@@ -2650,8 +2728,11 @@ public class ServerHttpSecurity {
 		 * Cross-Origin-Opener-Policy</a> header.
 		 * @return the {@link CrossOriginOpenerPolicySpec} to configure
 		 * @since 5.7
+		 * @deprecated For removal in 7.0. Use
+		 * {@link #crossOriginOpenerPolicy(Customizer)} instead.
 		 * @see CrossOriginOpenerPolicyServerHttpHeadersWriter
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public CrossOriginOpenerPolicySpec crossOriginOpenerPolicy() {
 			return new CrossOriginOpenerPolicySpec();
 		}
@@ -2676,8 +2757,11 @@ public class ServerHttpSecurity {
 		 * Cross-Origin-Embedder-Policy</a> header.
 		 * @return the {@link CrossOriginEmbedderPolicySpec} to configure
 		 * @since 5.7
+		 * @deprecated For removal in 7.0. Use
+		 * {@link #crossOriginEmbedderPolicy(Customizer)} instead.
 		 * @see CrossOriginEmbedderPolicyServerHttpHeadersWriter
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public CrossOriginEmbedderPolicySpec crossOriginEmbedderPolicy() {
 			return new CrossOriginEmbedderPolicySpec();
 		}
@@ -2702,8 +2786,11 @@ public class ServerHttpSecurity {
 		 * Cross-Origin-Resource-Policy</a> header.
 		 * @return the {@link CrossOriginResourcePolicySpec} to configure
 		 * @since 5.7
+		 * @deprecated For removal in 7.0. Use
+		 * {@link #crossOriginResourcePolicy(Customizer)} instead.
 		 * @see CrossOriginResourcePolicyServerHttpHeadersWriter
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public CrossOriginResourcePolicySpec crossOriginResourcePolicy() {
 			return new CrossOriginResourcePolicySpec();
 		}
@@ -2789,7 +2876,10 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}
 			 * @return the {@link HeaderSpec} to continue configuring
+			 * @deprecated For removal in 7.0. Use {@link #frameOptions(Customizer)}
+			 * instead
 			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			private HeaderSpec and() {
 				return HeaderSpec.this;
 			}
@@ -2857,7 +2947,9 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}
 			 * @return the {@link HeaderSpec} to continue configuring
+			 * @deprecated For removal in 7.0. Use {@link #hsts(Customizer)} instead
 			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			public HeaderSpec and() {
 				return HeaderSpec.this;
 			}
@@ -2946,7 +3038,10 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}.
 			 * @return the {@link HeaderSpec} to continue configuring
+			 * @deprecated For removal in 7.0. Use
+			 * {@link #contentSecurityPolicy(Customizer)} instead
 			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			public HeaderSpec and() {
 				return HeaderSpec.this;
 			}
@@ -2973,7 +3068,10 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}.
 			 * @return the {@link HeaderSpec} to continue configuring
+			 * @deprecated For removal in 7.0. Use {@link #featurePolicy(Customizer)}
+			 * instead
 			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			public HeaderSpec and() {
 				return HeaderSpec.this;
 			}
@@ -3005,7 +3103,10 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}.
 			 * @return the {@link HeaderSpec} to continue configuring
+			 * @deprecated For removal in 7.0. Use {@link #permissionsPolicy(Customizer)}
+			 * instead
 			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			public HeaderSpec and() {
 				return HeaderSpec.this;
 			}
@@ -3042,7 +3143,10 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}.
 			 * @return the {@link HeaderSpec} to continue configuring
+			 * @deprecated For removal in 7.0. Use {@link #referrerPolicy(Customizer)}
+			 * instead
 			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			public HeaderSpec and() {
 				return HeaderSpec.this;
 			}
@@ -3073,7 +3177,10 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}.
 			 * @return the {@link HeaderSpec} to continue configuring
+			 * @deprecated For removal in 7.0. Use
+			 * {@link #crossOriginOpenerPolicy(Customizer)} instead
 			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			public HeaderSpec and() {
 				return HeaderSpec.this;
 			}
@@ -3104,7 +3211,10 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}.
 			 * @return the {@link HeaderSpec} to continue configuring
+			 * @deprecated For removal in 7.0. Use
+			 * {@link #crossOriginEmbedderPolicy(Customizer)} instead
 			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			public HeaderSpec and() {
 				return HeaderSpec.this;
 			}
@@ -3135,7 +3245,10 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}.
 			 * @return the {@link HeaderSpec} to continue configuring
+			 * @deprecated For removal in 7.0. Use
+			 * {@link #crossOriginResourcePolicy(Customizer)} instead
 			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			public HeaderSpec and() {
 				return HeaderSpec.this;
 			}
@@ -3211,7 +3324,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #logout(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -3322,7 +3437,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #cors(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -3378,6 +3495,10 @@ public class ServerHttpSecurity {
 			return this;
 		}
 
+		/**
+		 * @deprecated For removal in 7.0. Use {@link #x509(Customizer)} instead
+		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -3630,7 +3751,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #oauth2Login(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -3965,7 +4088,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #oauth2Client(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -4113,7 +4238,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Enables JWT Resource Server support.
 		 * @return the {@link JwtSpec} for additional configuration
+		 * @deprecated For removal in 7.0. Use {@link #jwt(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public JwtSpec jwt() {
 			if (this.jwt == null) {
 				this.jwt = new JwtSpec();
@@ -4138,7 +4265,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Enables Opaque Token Resource Server support.
 		 * @return the {@link OpaqueTokenSpec} for additional configuration
+		 * @deprecated For removal in 7.0. Use {@link #opaqueToken(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public OpaqueTokenSpec opaqueToken() {
 			if (this.opaqueToken == null) {
 				this.opaqueToken = new OpaqueTokenSpec();
@@ -4230,6 +4359,11 @@ public class ServerHttpSecurity {
 			return new ServerAuthenticationEntryPointFailureHandler(this.entryPoint);
 		}
 
+		/**
+		 * @deprecated For removal in 7.0. Use {@link #oauth2ResourceServer(Customizer)}
+		 * instead
+		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}
@@ -4303,6 +4437,10 @@ public class ServerHttpSecurity {
 				return this;
 			}
 
+			/**
+			 * @deprecated For removal in 7.0. Use {@link #jwt(Customizer)} instead
+			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			public OAuth2ResourceServerSpec and() {
 				return OAuth2ResourceServerSpec.this;
 			}
@@ -4413,7 +4551,10 @@ public class ServerHttpSecurity {
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}
 			 * @return the {@link ServerHttpSecurity} to continue configuring
+			 * @deprecated For removal in 7.0. Use {@link #opaqueToken(Customizer)}
+			 * instead
 			 */
+			@Deprecated(since = "6.1", forRemoval = true)
 			public OAuth2ResourceServerSpec and() {
 				return OAuth2ResourceServerSpec.this;
 			}
@@ -4539,7 +4680,9 @@ public class ServerHttpSecurity {
 		/**
 		 * Allows method chaining to continue configuring the {@link ServerHttpSecurity}
 		 * @return the {@link ServerHttpSecurity} to continue configuring
+		 * @deprecated For removal in 7.0. Use {@link #anonymous(Customizer)} instead
 		 */
+		@Deprecated(since = "6.1", forRemoval = true)
 		public ServerHttpSecurity and() {
 			return ServerHttpSecurity.this;
 		}