Closed criztovyl closed 2 months ago
Thanks for spotting and reporting this, @criztovyl. You're right that the docs are wrong. The javadoc for ManagementWebSecurityAutoConfiguration
describes things accurately:
The Actuator security documentation is accurate:
We need to make things consistent.
It seems this statement in docs is wrong or confusing (emphasis mine):
https://github.com/spring-projects/spring-boot/blob/ab3c5799acc9a59730b41c6e46d4a1c8bec2f3d7/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc?plain=1#L37
If you create a new Spring Boot 3 application like this
https://start.spring.io/#!type=gradle-project&language=java&platformVersion=3.3.2&packaging=jar&jvmVersion=17&groupId=com.example&artifactId=demo&name=demo&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.demo&dependencies=security,web,actuator
with default configuration actuator is secured:
but when adding a SecurityFilterChain like this
or this
security is gone