Fix Add @Configuration to @Enable*Security Usage

Issue gh-6613

config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java

@@ -189,6 +189,7 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class GroupSearchConfig extends BaseLdapProviderConfig {
 

config/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java

@@ -55,6 +55,7 @@ import org.springframework.security.rsocket.util.matcher.RoutePayloadExchangeMat
  * A minimal example can be found below:
  *
  * <pre class="code">
+ * &#064;Configuration
  * &#064;EnableRSocketSecurity
  * public class SecurityConfig {
  *     &#064;Bean
@@ -82,6 +83,7 @@ import org.springframework.security.rsocket.util.matcher.RoutePayloadExchangeMat
  * A more advanced configuration can be seen below:
  *
  * <pre class="code">
+ * &#064;Configuration
  * &#064;EnableRSocketSecurity
  * public class SecurityConfig {
  *     &#064;Bean

config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java

@@ -22,7 +22,6 @@ import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
-import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
 
@@ -39,7 +38,6 @@ import org.springframework.security.config.annotation.authentication.configurati
 @Documented
 @Import(WebMvcSecurityConfiguration.class)
 @EnableGlobalAuthentication
-@Configuration
 @Deprecated
 public @interface EnableWebMvcSecurity {
 

config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java

@@ -39,9 +39,9 @@ import org.springframework.util.Assert;
  * @author Rob Winch
  *
  */
+@Configuration
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
-@Configuration
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
 	@Autowired

config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java

@@ -531,8 +531,8 @@ public class GlobalMethodSecurityConfigurationTests {
 
 	}
 
-	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	@Configuration
+	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	public static class RoleHierarchyConfig {
 
 		@Bean
@@ -607,8 +607,8 @@ public class GlobalMethodSecurityConfigurationTests {
 
 	}
 
-	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	@Configuration
+	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	public static class CustomMetadataSourceBeanProxyEnabledConfig extends GlobalMethodSecurityConfiguration {
 
 	}

config/src/test/java/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityTests.java

@@ -316,8 +316,8 @@ public class NamespaceGlobalMethodSecurityTests {
 
 	}
 
-	@EnableGlobalMethodSecurity(jsr250Enabled = true)
 	@Configuration
+	@EnableGlobalMethodSecurity(jsr250Enabled = true)
 	public static class Jsr250Config {
 
 	}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java

@@ -127,6 +127,7 @@ public class AnonymousConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class AnonymousDisabledInLambdaConfig extends WebSecurityConfigurerAdapter {
 

config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java

@@ -131,6 +131,7 @@ public class NamespaceHttpFormLoginTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class FormLoginCustomConfig extends WebSecurityConfigurerAdapter {
 

config/src/test/java/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.java

@@ -26,6 +26,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
@@ -151,6 +152,7 @@ public class X509ConfigurerTests {
 		}
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter {
 
@@ -180,6 +182,7 @@ public class X509ConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class DuplicateDoesNotOverrideConfig extends WebSecurityConfigurerAdapter {
 
@@ -205,6 +208,7 @@ public class X509ConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class DefaultsInLambdaConfig extends WebSecurityConfigurerAdapter {
 
@@ -227,6 +231,7 @@ public class X509ConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class SubjectPrincipalRegexInLambdaConfig extends WebSecurityConfigurerAdapter {
 
@@ -252,6 +257,7 @@ public class X509ConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class UserDetailsServiceBeanConfig {
 
@@ -279,6 +285,7 @@ public class X509ConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class UserDetailsServiceAndBeanConfig {
 

config/src/test/kotlin/org/springframework/security/config/annotation/method/configuration/KotlinEnableReactiveMethodSecurityTests.kt

@@ -210,8 +210,8 @@ class KotlinEnableReactiveMethodSecurityTests {
         verify { delegate wasNot Called }
     }
 
-    @EnableReactiveMethodSecurity
     @Configuration
+    @EnableReactiveMethodSecurity
     open class Config {
         var delegate = mockk<KotlinReactiveMessageService>()
 

config/src/test/kotlin/org/springframework/security/config/web/server/AuthorizeExchangeDslTests.kt

@@ -32,7 +32,7 @@ import org.springframework.test.web.reactive.server.WebTestClient
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.reactive.config.EnableWebFlux
-import java.util.*
+import java.util.Base64
 
 /**
  * Tests for [AuthorizeExchangeDsl]

docs/modules/ROOT/pages/servlet/authorization/method-security.adoc

@@ -1,3 +1,4 @@
+
 [[jc-method]]
 = Method Security
 
@@ -32,6 +33,7 @@ For example, the following would enable Spring Security's `@PreAuthorize` annota
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity
 public class MethodSecurityConfig {
 	// ...
@@ -41,6 +43,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity
 class MethodSecurityConfig {
 	// ...
@@ -98,6 +101,7 @@ You can enable support for Spring Security's `@Secured` annotation using:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity(securedEnabled = true)
 public class MethodSecurityConfig {
 	// ...
@@ -107,6 +111,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity(securedEnabled = true)
 class MethodSecurityConfig {
 	// ...
@@ -127,6 +132,7 @@ or JSR-250 using:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity(jsr250Enabled = true)
 public class MethodSecurityConfig {
 	// ...
@@ -136,6 +142,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity(jsr250Enabled = true)
 class MethodSecurityConfig {
 	// ...
@@ -264,6 +271,7 @@ To recreate what adding `@EnableMethodSecurity` does by default, you would publi
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity(prePostEnabled = false)
 class MethodSecurityConfig {
 	@Bean
@@ -295,6 +303,7 @@ class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity(prePostEnabled = false)
 class MethodSecurityConfig {
 	@Bean
@@ -392,6 +401,7 @@ You may want to only support `@PreAuthorize` in your application, in which case
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity(prePostEnabled = false)
 class MethodSecurityConfig {
 	@Bean
@@ -405,6 +415,7 @@ class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity(prePostEnabled = false)
 class MethodSecurityConfig {
 	@Bean
@@ -440,6 +451,7 @@ Thus, you can configure Spring Security to invoke your `AuthorizationManager` in
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity
 class MethodSecurityConfig {
 	@Bean
@@ -458,6 +470,7 @@ class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity
 class MethodSecurityConfig {
 	@Bean
@@ -542,6 +555,7 @@ For example, if you have your own custom annotation, you can configure it like s
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity
 class MethodSecurityConfig {
 	@Bean
@@ -558,6 +572,7 @@ class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity
 class MethodSecurityConfig {
 	@Bean
@@ -607,6 +622,7 @@ The following example enables Spring Security's `@Secured` annotation:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(securedEnabled = true)
 public class MethodSecurityConfig {
 // ...
@@ -616,6 +632,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(securedEnabled = true)
 open class MethodSecurityConfig {
 	// ...
@@ -666,6 +683,7 @@ Support for JSR-250 annotations can be enabled by using:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(jsr250Enabled = true)
 public class MethodSecurityConfig {
 // ...
@@ -675,6 +693,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(jsr250Enabled = true)
 open class MethodSecurityConfig {
 	// ...
@@ -689,6 +708,7 @@ To use the new expression-based syntax, you would use:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class MethodSecurityConfig {
 // ...
@@ -698,6 +718,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 open class MethodSecurityConfig {
 	// ...
@@ -750,6 +771,7 @@ For example, if you wanted to provide a custom `MethodSecurityExpressionHandler`
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
 	@Override
@@ -763,6 +785,7 @@ public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 open class MethodSecurityConfig : GlobalMethodSecurityConfiguration() {
     override fun createExpressionHandler(): MethodSecurityExpressionHandler {

docs/modules/ROOT/pages/servlet/configuration/java.adoc

@@ -324,6 +324,7 @@ You can also explicit disable the default:
 ====
 [source,java]
 ----
+@Configuration
 @EnableWebSecurity
 public class Config {
 	@Bean

docs/modules/ROOT/pages/servlet/exploits/headers.adoc

@@ -887,6 +887,7 @@ You can enable the preceding permissions policy header using the following confi
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
@@ -919,6 +920,7 @@ public class WebSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class SecurityConfig {
 
@@ -958,6 +960,7 @@ You can send the preceding header on log out with the following configuration:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
@@ -976,6 +979,7 @@ public class WebSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class SecurityConfig {
 
@@ -1015,6 +1019,7 @@ Given the preceding header, you could add the headers to the response by using t
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
@@ -1045,6 +1050,7 @@ public class WebSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class SecurityConfig {
 
@@ -1074,6 +1080,7 @@ If you wanted to explicitly configure <<servlet-headers-frame-options>>, you cou
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
@@ -1110,6 +1117,7 @@ See https://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsi
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class SecurityConfig {
 
@@ -1141,6 +1149,7 @@ The following configuration example uses `DelegatingRequestMatcherHeaderWriter`:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
@@ -1188,6 +1197,7 @@ public class WebSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class SecurityConfig {
 

docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc

@@ -931,6 +931,7 @@ Also, you can configure `OidcClientInitiatedLogoutSuccessHandler`, which impleme
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class OAuth2LoginSecurityConfig {
 
@@ -966,6 +967,7 @@ public class OAuth2LoginSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class OAuth2LoginSecurityConfig {
     @Autowired

docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc

@@ -757,6 +757,7 @@ public class DirectlyConfiguredJwkSetUri {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class DirectlyConfiguredJwkSetUri {
     @Bean
@@ -949,6 +950,7 @@ static class CustomAuthenticationConverter implements Converter<Jwt, AbstractAut
 
 // ...
 
+@Configuration
 @EnableWebSecurity
 public class CustomAuthenticationConverterConfig {
     @Bean
@@ -978,6 +980,7 @@ internal class CustomAuthenticationConverter : Converter<Jwt, AbstractAuthentica
 
 // ...
 
+@Configuration
 @EnableWebSecurity
 class CustomAuthenticationConverterConfig {
     @Bean