I have recently migrated my Spring Boot application from Spring Security 5 to Spring Security 6.
Usually, we use the @EnableWebSecurity annotation in the configuration class to enable web security. An interesting thing I have noticed in Spring Security 6 is they have removed the @Configuration annotation from the @EnableWebSecurity class.
I've added the source code for the @EnableWebSecurity from Spring Security 5 and Spring Security 6 for ease of reference.
// Spring Security 5
@Retention(RUNTIME)
@Target(TYPE)
@Documented
@Import({WebSecurityConfiguration.class,org.springframework.security.config.annotation.web.configuration.SpringWebMvcImportSelector.class,org.springframework.security.config.annotation.web.configuration.OAuth2ImportSelector.class,org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.class})
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity
// Spring Security 6
@Retention(RUNTIME)
@Target(TYPE)
@Documented
@Import({WebSecurityConfiguration.class,org.springframework.security.config.annotation.web.configuration.SpringWebMvcImportSelector.class,org.springframework.security.config.annotation.web.configuration.OAuth2ImportSelector.class,org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration.class})
@EnableGlobalAuthentication
public @interface EnableWebSecurity
What I'm curious about is, what would be the reason behind removing the @Configuration annotation in Spring Security 6?
Edit: I have seen this issue on GitHub mentioning @Configuration annotation is no longer needed for @Enable* annotations. But anyways, it's removed in Spring Security 6.
Because non of the other @Enable* annotations included @Configuration. This one was the odd one out. So now it is aligned with all other @Enable* annotations again and you yourself need to add @Configuration to mark a configuration class.
See als this issue related to the remove containing the reason why. The PR for this contains the changes.