As boot2 effectively removed all of its tweaks for security auto-configuration, we need to come up with config which effectively disables all security features. As we used to hook into boot1 security.basic.enabled and other settings, we need to come up with a condition which is true if user haven't added any security settings. This condition would then craft a dummy security config which would fake boot not to enable its own WebSecurityConfigurerAdapter which then effectively adds springSecurityFilterChain and @EnableWebSecurity is enabled.
There were a discussion in https://github.com/spring-projects/spring-boot/issues/10306 to make this easier in boot but that ticket didn't go anywhere and I'm not sure any kind of security features would belong into boot anyway. Our use case is highly opinionated and these opinionated use cases were reason boot removed its own tweak in favour of forcing users to do their own configs.
As boot2 effectively removed all of its tweaks for security auto-configuration, we need to come up with config which effectively disables all security features. As we used to hook into boot1
security.basic.enabledand other settings, we need to come up with a condition which is true if user haven't added any security settings. This condition would then craft a dummy security config which would fake boot not to enable its ownWebSecurityConfigurerAdapterwhich then effectively addsspringSecurityFilterChainand@EnableWebSecurityis enabled.There were a discussion in https://github.com/spring-projects/spring-boot/issues/10306 to make this easier in boot but that ticket didn't go anywhere and I'm not sure any kind of security features would belong into boot anyway. Our use case is highly opinionated and these opinionated use cases were reason boot removed its own tweak in favour of forcing users to do their own configs.