Spring web security: is @EnableWebSecurity obsolete?

Question

While testing Spring Boot (1.3.3) with a simple web app using spring-boot-starter-security:1.3.3:RELEASE I observed the following behaviour:

In order to override the default Spring web security configuration, I supplied a custom Java configuration class like so:

@Configuration
// @EnableWebSecurity apparently obsolete ?
public class SecurityConfig extends WebSecurityConfigurerAdapter {


  @Override
  protected void configure(HttpSecurity http) throws Exception {
      // http security checking left out for brevity ...
  }


  @Override
  protected void configure(
              AuthenticationManagerBuilder auth) throws Exception {
      // user authentication left out for brevity ...
  }

}

After startup, the application redirects to the login page and checks username/password correctly whether the @EnableWebSecurity annotation is provided or not (like in the example above). Is this annotation in this context therefore obsolete ? If so, why ?

Answer 1

The auto configuration of Spring Boot automatically enables web security and retrieves all beans of the type WebSecurityConfigurerAdapter to customize the configuration if certain conditions are met (spring-boot-starter-security on the classpath etc.). The auto configuration for web security is enabled in the class org.springframework.boot.autoconfigure.security.SpringBootWebSecurityConfiguration (Spring Boot 1.2.7, class name may have changed in newer versions).