diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/java-configuration.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/java-configuration.adoc
index 79653ec2a8..37fa1b5eb9 100644
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/java-configuration.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/java-configuration.adoc
@@ -706,17 +706,24 @@ public class DirectlyConfiguredJwkSetUri extends WebSecurityConfigurerAdapter {
 }
 
 Converter<Jwt, AbstractAuthenticationToken> grantedAuthoritiesExtractor() {
-    return new GrantedAuthoritiesExtractor();
+    JwtAuthenticationConverter jwtAuthenticationConverter =
+            new JwtAuthenticationConverter();
+    jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter
+            (new GrantedAuthoritiesExtractor());
+    return jwtAuthenticationConveter;
 }
 ```
 
 which is responsible for converting a `Jwt` into an `Authentication`.
+As part of its configuration, we can supply a subsidiary converter to go from `Jwt` to a `Collection` of `GrantedAuthority`s.
 
-We can override this quite simply to alter the way granted authorities are derived:
+That final converter might be something like `GrantedAuthoritiesExtractor` below:
 
 ```java
-static class GrantedAuthoritiesExtractor extends JwtAuthenticationConverter {
-    protected Collection<GrantedAuthority> extractAuthorities(Jwt jwt) {
+static class GrantedAuthoritiesExtractor
+        implements Converter<Jwt, Collection<GrantedAuthority>> {
+
+    public Collection<GrantedAuthority> convert(Jwt jwt) {
         Collection<String> authorities = (Collection<String>)
                 jwt.getClaims().get("mycustomclaim");