Skip to content

Commit 2469f0b

Browse files
wilkinsonawilkinsona
committed
Clarify effect of @EnableWebSecurity when Actuator's being used
Closes gh-6490
1 parent bf8ae27 commit 2469f0b

File tree

2 files changed

+6
-5
lines changed

2 files changed

+6
-5
lines changed

spring-boot-docs/src/main/asciidoc/howto.adoc

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2134,8 +2134,9 @@ will be available under `/system`.
21342134
[[howto-switch-off-spring-boot-security-configuration]]
21352135
=== Switch off the Spring Boot security configuration
21362136
If you define a `@Configuration` with `@EnableWebSecurity` anywhere in your application
2137-
it will switch off the default webapp security settings in Spring Boot. To tweak the
2138-
defaults try setting properties in `+security.*+` (see
2137+
it will switch off the default webapp security settings in Spring Boot (but leave the
2138+
Actuator's security enabled). To tweak the defaults try setting properties in
2139+
`+security.*+` (see
21392140
{sc-spring-boot-autoconfigure}/security/SecurityProperties.{sc-ext}[`SecurityProperties`]
21402141
for details of available settings) and `SECURITY` section of
21412142
<<common-application-properties-security,Common application properties>>.

spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2290,9 +2290,9 @@ properties are externalized via
22902290
The default security configuration is implemented in `SecurityAutoConfiguration` and in
22912291
the classes imported from there (`SpringBootWebSecurityConfiguration` for web security
22922292
and `AuthenticationManagerConfiguration` for authentication configuration which is also
2293-
relevant in non-web applications). To switch off the default web security configuration
2294-
completely you can add a bean with `@EnableWebSecurity` (this does not disable the
2295-
authentication manager configuration). To customize
2293+
relevant in non-web applications). To switch off the default web application security
2294+
configuration completely you can add a bean with `@EnableWebSecurity` (this does not
2295+
disable the authentication manager configuration or Actuator's security). To customize
22962296
it you normally use external properties and beans of type `WebSecurityConfigurerAdapter`
22972297
(e.g. to add form-based login). To also switch off the authentication manager configuration
22982298
you can add a bean of type `AuthenticationManager`, or else configure the

0 commit comments

Comments
 (0)