Remove formLogin() and httpBasic() from defaults

config/src/main/java/org/springframework/security/config/annotation/web/reactive/ServerHttpSecurityConfiguration.java

@@ -67,8 +67,6 @@ public class ServerHttpSecurityConfiguration implements WebFluxConfigurer {
 		return http()
 			.authenticationManager(authenticationManager())
 			.headers().and()
-			.httpBasic().and()
-			.formLogin().and()
 			.logout().and();
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/reactive/WebFluxSecurityConfiguration.java

@@ -65,7 +65,11 @@ public class WebFluxSecurityConfiguration {
 		ServerHttpSecurity http = context.getBean(ServerHttpSecurity.class);
 		http
 			.authorizeExchange()
-				.anyExchange().authenticated();
+				.anyExchange().authenticated()
+				.and()
+			.httpBasic().and()
+			.formLogin().and()
+			.build();
 		return Arrays.asList(http.build());
 	}
 }

config/src/test/java/org/springframework/security/config/web/server/LogoutBuilderTests.java

@@ -43,6 +43,7 @@ public class LogoutBuilderTests {
 			.authorizeExchange()
 				.anyExchange().authenticated()
 				.and()
+			.formLogin().and()
 			.build();
 
 		WebTestClient webTestClient = WebTestClientBuilder
@@ -82,6 +83,7 @@ public class LogoutBuilderTests {
 			.authorizeExchange()
 				.anyExchange().authenticated()
 				.and()
+			.formLogin().and()
 			.logout()
 				.logoutUrl("/custom-logout")
 				.and()

samples/javaconfig/hellowebflux-method/src/main/java/sample/SecurityConfig.java

@@ -36,10 +36,12 @@ public class SecurityConfig {
 	@Bean
 	SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
 		return http
-			// we rely on method security
+			// Demonstrate that method security works
+			// Best practice to use both for defense in depth
 			.authorizeExchange()
 				.anyExchange().permitAll()
 				.and()
+			.httpBasic().and()
 			.build();
 	}