Disable default security configuration when SecurityFilterChain bean is present

[eleftherias]

Spring Security is adding an enhancement that allows configuring HTTP security by exposing a SecurityFilterChain bean.
In this case, there is no need to extend WebSecurityConfigurerAdapter.
See spring-projects/spring-security#8804.

Currently Spring Boot applies a default security configuration when no WebSecurityConfigurerAdapter bean is present.
Going forward, it should also check if a SecurityFilterChain bean is present before applying a default security configuration.

[mbhave]

@eleftherias Would you suggest updating our smoke tests and auto-configuration to use the SecurityFilterChain bean instead of extending WebSecurityConfigurerAdapter too?

[eleftherias]

Yes, using the SecurityFilterChain bean will be the recommended approach going forward.

[mbhave]

Spring Security still needs to make some changes for making WebSecurity work with bean style SecurityFilterChain. We use WebSecurity to configure ignored paths for the Cloud Foundry actuators. Until that's sorted we can't move to the bean style config for our own auto-configurations. We should open a separate issue for #22739 (comment) once that's done.