I'm reading Spring in Action 5th Edition. in part 4 (securing spring), he wanted to overide the security autoconfigured by spring boot... so he created a config class called it SecurityConfig as follow:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
}

also, in the Javadoc of @EnableWebSecurity , they do the same thing

and they also say:

Add this annotation to an @Configuration class to have the Spring Security configuration defined in any WebSecurityConfigurer or more likely by extending the WebSecurityConfigurerAdapter base class and overriding individual methods

but @EnableWebSecurity is already a @Configuration. here is the code that confirms this:

@Retention(RUNTIME)
@Target(TYPE)
@Documented
@Import({WebSecurityConfiguration.class,org.springframework.security.config.annotation.web.configuration.SpringWebMvcImportSelector.class,org.springframework.security.config.annotation.web.configuration.OAuth2ImportSelector.class,org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.class})
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity

my question is why we should annotate a class with both @Configuration and @EnableWebSecurity instead of just @EnableWebSecurity?

thank you :)

CodePudding user response：

There is no need to annotate your @EnableWebSecurity class with @Configuration since this commit.

As GitHub issue says,

This removes the need to state @Configuration when using @Enable* annotations.

So, seems like developers had removed the requirement to use both @Configuration and @EnableWebSecurity, but forgot to reflect this in JavaDoc.