I'm reading Spring in Action 5th Edition. in part 4 (securing spring), he wanted to overide the security autoconfigured by spring boot... so he created a config class called it SecurityConfig as follow:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
}
also, in the Javadoc of @EnableWebSecurity , they do the same thing
and they also say:
Add this annotation to an @Configuration class to have the Spring Security configuration defined in any WebSecurityConfigurer or more likely by extending the WebSecurityConfigurerAdapter base class and overriding individual methods
but @EnableWebSecurity is already a @Configuration. here is the code that confirms this:
@Retention(RUNTIME)
@Target(TYPE)
@Documented
@Import({WebSecurityConfiguration.class,org.springframework.security.config.annotation.web.configuration.SpringWebMvcImportSelector.class,org.springframework.security.config.annotation.web.configuration.OAuth2ImportSelector.class,org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.class})
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity
my question is why we should annotate a class with both @Configuration and @EnableWebSecurity instead of just @EnableWebSecurity?
thank you :)
There is no need to annotate your @EnableWebSecurity class with @Configuration since this commit.
As GitHub issue says,
This removes the need to state @Configuration when using @Enable* annotations.
So, seems like developers had removed the requirement to use both @Configuration and @EnableWebSecurity, but forgot to reflect this in JavaDoc.