Add a @EnableWebSecurity if it looks like the user needs one

If the user explicitly disables the basic security features and forgets to
@EnableWebSecurity, and yet still wants a bean of type
WebSecurityConfigurerAdapter, he is trying to use a custom
security setup and the app would fail in a confusing way without
this change.

Fixes gh-568

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityAutoConfiguration.java

@@ -17,13 +17,18 @@
 package org.springframework.boot.autoconfigure.security;
 
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
 /**
@@ -52,4 +57,23 @@ public class SecurityAutoConfiguration {
 		return new SecurityProperties();
 	}
 
+	/**
+	 * If the user explicitly disables the basic security features and forgets to
+	 * <code>@EnableWebSecurity</code>, and yet still wants a bean of type
+	 * WebSecurityConfigurerAdapter, he is trying to use a custom security setup. The app
+	 * would fail in a confusing way without this shim configuration, which just helpfully
+	 * defines an empty <code>@EnableWebSecurity</code>.
+	 * 
+	 * @author Dave Syer
+	 */
+	@ConditionalOnExpression("!${security.basic.enabled:true}")
+	@ConditionalOnBean(WebSecurityConfigurerAdapter.class)
+	@ConditionalOnClass(EnableWebSecurity.class)
+	@ConditionalOnMissingBean(WebSecurityConfiguration.class)
+	@ConditionalOnWebApplication
+	@EnableWebSecurity
+	protected static class EmptyWebSecurityConfiguration {
+
+	}
+
 }

spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleSecureApplication.java → spring-boot-samples/spring-boot-sample-web-secure/src/main/java/sample/ui/secure/SampleWebSecureApplication.java

@@ -35,7 +35,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter
 @EnableAutoConfiguration
 @ComponentScan
 @Controller
-public class SampleSecureApplication extends WebMvcConfigurerAdapter {
+public class SampleWebSecureApplication extends WebMvcConfigurerAdapter {
 
 	@RequestMapping("/")
 	public String home(Map<String, Object> model) {
@@ -52,7 +52,7 @@ public class SampleSecureApplication extends WebMvcConfigurerAdapter {
 
 	public static void main(String[] args) throws Exception {
 		// Set user password to "password" for demo purposes only
-		new SpringApplicationBuilder(SampleSecureApplication.class).properties("security.user.password=password").run(
+		new SpringApplicationBuilder(SampleWebSecureApplication.class).properties("security.user.password=password").run(
 				args);
 	}
 

spring-boot-samples/spring-boot-sample-web-secure/src/main/resources/application.properties

 spring.thymeleaf.cache: false
 debug: true
+security.basic.enabled: false
\ No newline at end of file

spring-boot-samples/spring-boot-sample-web-secure/src/test/java/sample/ui/secure/SampleSecureApplicationTests.java

@@ -42,7 +42,7 @@ import static org.junit.Assert.assertTrue;
  * @author Dave Syer
  */
 @RunWith(SpringJUnit4ClassRunner.class)
-@SpringApplicationConfiguration(classes = SampleSecureApplication.class)
+@SpringApplicationConfiguration(classes = SampleWebSecureApplication.class)
 @WebAppConfiguration
 @IntegrationTest
 @DirtiesContext