Clarify how to switch off security autoconfiguration

The fact that the web security and the authentication manager are
controlled separately should hopefully now be clearer.

Fixes gh-3292

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java

@@ -23,7 +23,6 @@ import java.util.Set;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.beans.factory.SmartInitializingSingleton;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -52,11 +51,13 @@ import org.springframework.util.ReflectionUtils;
 
 /**
  * Configuration for a Spring Security in-memory {@link AuthenticationManager}. Can be
- * disabled by providing a bean of type AuthenticationManager. The value provided by this
- * configuration will become the "global" authentication manager (from Spring Security),
- * or the parent of the global instance. Thus it acts as a fallback when no others are
- * provided, is used by method security if enabled, and as a parent authentication manager
- * for "local" authentication managers in individual filter chains.
+ * disabled by providing a bean of type AuthenticationManager, or by autowiring an
+ * {@link AuthenticationManagerBuilder} into a method in one of your configuration
+ * classes. The value provided by this configuration will become the "global"
+ * authentication manager (from Spring Security), or the parent of the global instance.
+ * Thus it acts as a fallback when no others are provided, is used by method security if
+ * enabled, and as a parent authentication manager for "local" authentication managers in
+ * individual filter chains.
  *
  * @author Dave Syer
  * @author Rob Winch

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java

@@ -36,6 +36,7 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
@@ -60,8 +61,7 @@ import org.springframework.util.StringUtils;
  * externalized application properties (or via an bean definition of that type to set the
  * defaults). The user details for authentication are just placeholders
  * {@code (username=user, password=password)} but can easily be customized by providing a
- * bean definition of type {@link AuthenticationManager}. Also provides audit logging of
- * authentication events.
+ * an {@link AuthenticationManager}. Also provides audit logging of authentication events.
  * <p>
  * Some common simple customizations:
  * <ul>
@@ -69,7 +69,9 @@ import org.springframework.util.StringUtils;
  * classpath or {@link EnableAutoConfiguration#exclude() exclude} this configuration.</li>
  * <li>Switch off security temporarily (e.g. for a dev environment): set
  * {@code security.basic.enabled: false}</li>
- * <li>Customize the user details: add an AuthenticationManager bean</li>
+ * <li>Customize the user details: autowire an {@link AuthenticationManagerBuilder} into a
+ * method in one of your configuration classes or equivalently add a bean of type
+ * AuthenticationManager</li>
  * <li>Add form login for user facing resources: add a
  * {@link WebSecurityConfigurerAdapter} and use {@link HttpSecurity#formLogin()}</li>
  * </ul>

spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc

@@ -1860,10 +1860,14 @@ properties are externalized via
 The default security configuration is implemented in `SecurityAutoConfiguration` and in
 the classes imported from there (`SpringBootWebSecurityConfiguration` for web security
 and `AuthenticationManagerConfiguration` for authentication configuration which is also
-relevant in non-web applications). To switch off the Boot default configuration
-completely in a web application you can add a bean with `@EnableWebSecurity`. To customize
+relevant in non-web applications). To switch off the default web security configuration
+completely you can add a bean with `@EnableWebSecurity` (this does not disable the
+authentication manager configuration). To customize
 it you normally use external properties and beans of type `WebSecurityConfigurerAdapter`
-(e.g. to add form-based login). There are several secure applications in the
+(e.g. to add form-based login). To also switch off the authentication manager configuration
+you can add a bean of type `AuthenticationManager`, or else configure the
+global `AuthenticationManager` by `@Autowiring` an `AuthenticationManagerBuilder` into
+a method in one of your `@Configuration` classes. There are several secure applications in the
 {github-code}/spring-boot-samples/[Spring Boot samples] to get you started with common
 use cases.