Add a note to the docs about combining multiple security components

wilkinsona · wilkinsona · commit 2cdf801e7fd6 · 2019-10-16T16:09:13.000+01:00
Previously, the documentation did not describe how to combine multiple security components when one component's WebSecurityConfigurerAdapter or SecurityWebFilterChain would cause the other components' beans of the same type to back off. This commit adds a note that such cases should be handled by the user defining their own WebSecurityConfigurerAdapter or SecurityWebFilterChain that configures the use of all of the components as required. Closes gh-18507
diff --git a/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc b/spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
@@ -3064,7 +3064,7 @@ You can provide a different `AuthenticationEventPublisher` by adding a bean for
 === MVC Security
 The default security configuration is implemented in `SecurityAutoConfiguration` and `UserDetailsServiceAutoConfiguration`.
 `SecurityAutoConfiguration` imports `SpringBootWebSecurityConfiguration` for web security and `UserDetailsServiceAutoConfiguration` configures authentication, which is also relevant in non-web applications.
-To switch off the default web application security configuration completely, you can add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
+To switch off the default web application security configuration completely or to combine multiple Spring Security components such as OAuth 2 Client and Resource Server, add a bean of type `WebSecurityConfigurerAdapter` (doing so does not disable the `UserDetailsService` configuration or Actuator's security).
 
 To also switch off the `UserDetailsService` configuration, you can add a bean of type `UserDetailsService`, `AuthenticationProvider`, or `AuthenticationManager`.
 
@@ -3084,7 +3084,7 @@ To switch off the default web application security configuration completely, you
 
 To also switch off the `UserDetailsService` configuration, you can add a bean of type `ReactiveUserDetailsService` or `ReactiveAuthenticationManager`.
 
-Access rules can be configured by adding a custom `SecurityWebFilterChain`.
+Access rules and the use of multiple Spring Security components such as OAuth 2 Client and Resource Server can be configured by adding a custom `SecurityWebFilterChain` bean.
 Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources.
 `EndpointRequest` can be used to create a `ServerWebExchangeMatcher` that is based on the configprop:management.endpoints.web.base-path[] property.
 
