Polish " Change info endpoint to be secure and unexposed by default"

See gh-24715

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/security/reactive/ReactiveManagementWebSecurityAutoConfiguration.java

@@ -20,7 +20,6 @@ import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAu
 import org.springframework.boot.actuate.autoconfigure.health.HealthEndpointAutoConfiguration;
 import org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration;
 import org.springframework.boot.actuate.health.HealthEndpoint;
-import org.springframework.boot.actuate.info.InfoEndpoint;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
 import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
@@ -40,8 +39,8 @@ import org.springframework.security.web.server.WebFilterChainProxy;
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} for Reactive Spring Security when
- * actuator is on the classpath. Specifically, it permits access to the health and info
- * endpoints while securing everything else.
+ * actuator is on the classpath. Specifically, it permits access to the health endpoint
+ * while securing everything else.
  *
  * @author Madhura Bhave
  * @since 2.1.0
@@ -59,7 +58,7 @@ public class ReactiveManagementWebSecurityAutoConfiguration {
 	@Bean
 	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 		http.authorizeExchange((exchanges) -> {
-			exchanges.matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)).permitAll();
+			exchanges.matchers(EndpointRequest.to(HealthEndpoint.class)).permitAll();
 			exchanges.anyExchange().authenticated();
 		});
 		http.httpBasic(Customizer.withDefaults());

spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/info/InfoEndpointAutoConfigurationTests.java

@@ -34,6 +34,17 @@ class InfoEndpointAutoConfigurationTests {
 	private final ApplicationContextRunner contextRunner = new ApplicationContextRunner()
 			.withConfiguration(AutoConfigurations.of(InfoEndpointAutoConfiguration.class));
 
+	@Test
+	void runShouldHaveEndpointBean() {
+		this.contextRunner.withPropertyValues("management.endpoints.web.exposure.include=info")
+				.run((context) -> assertThat(context).hasSingleBean(InfoEndpoint.class));
+	}
+
+	@Test
+	void runWhenNotExposedShouldNotHaveEndpointBean() {
+		this.contextRunner.run((context) -> assertThat(context).doesNotHaveBean(InfoEndpoint.class));
+	}
+
 	@Test
 	void runWhenEnabledPropertyIsFalseShouldNotHaveEndpointBean() {
 		this.contextRunner.withPropertyValues("management.endpoint.info.enabled:false")

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxApplicationTests.java

@@ -50,11 +50,6 @@ class SampleSecureWebFluxApplicationTests {
 				.isOk();
 	}
 
-	@Test
-	void infoInsecureByDefault() {
-		this.webClient.get().uri("/actuator/info").accept(MediaType.APPLICATION_JSON).exchange().expectStatus().isOk();
-	}
-
 	@Test
 	void otherActuatorsSecureByDefault() {
 		this.webClient.get().uri("/actuator/env").accept(MediaType.APPLICATION_JSON).exchange().expectStatus()