From a5069d7e35112dffa7b6a8eb255fd7189770654e Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Tue, 9 Aug 2022 07:37:59 -0500
Subject: [PATCH] Fix Add @Configuration to @Enable*Security Usage

Issue gh-6613
---
 ...onProviderBuilderSecurityBuilderTests.java |  1 +
 .../annotation/rsocket/RSocketSecurity.java   |  2 ++
 .../configuration/EnableWebMvcSecurity.java   |  2 --
 .../annotation/issue50/SecurityConfig.java    |  2 +-
 ...lobalMethodSecurityConfigurationTests.java |  4 ++--
 .../NamespaceGlobalMethodSecurityTests.java   |  2 +-
 .../configurers/AnonymousConfigurerTests.java |  1 +
 .../NamespaceHttpFormLoginTests.java          |  1 +
 .../web/configurers/X509ConfigurerTests.java  |  7 ++++++
 ...KotlinEnableReactiveMethodSecurityTests.kt |  2 +-
 .../web/server/AuthorizeExchangeDslTests.kt   |  2 +-
 .../authorization/method-security.adoc        | 23 +++++++++++++++++++
 .../pages/servlet/configuration/java.adoc     |  1 +
 .../ROOT/pages/servlet/exploits/headers.adoc  | 10 ++++++++
 .../pages/servlet/oauth2/login/advanced.adoc  |  2 ++
 .../servlet/oauth2/resource-server/jwt.adoc   |  3 +++
 16 files changed, 57 insertions(+), 8 deletions(-)

diff --git a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java
index cd0a5e1247..f899908b2f 100644
--- a/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java
+++ b/config/src/integration-test/java/org/springframework/security/config/annotation/authentication/ldap/LdapAuthenticationProviderBuilderSecurityBuilderTests.java
@@ -189,6 +189,7 @@ public class LdapAuthenticationProviderBuilderSecurityBuilderTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class GroupSearchConfig extends BaseLdapProviderConfig {
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java
index 309e565b94..307b4b5be1 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java
@@ -55,6 +55,7 @@ import org.springframework.security.rsocket.util.matcher.RoutePayloadExchangeMat
  * A minimal example can be found below:
  *
  * <pre class="code">
+ * &#064;Configuration
  * &#064;EnableRSocketSecurity
  * public class SecurityConfig {
  *     &#064;Bean
@@ -82,6 +83,7 @@ import org.springframework.security.rsocket.util.matcher.RoutePayloadExchangeMat
  * A more advanced configuration can be seen below:
  *
  * <pre class="code">
+ * &#064;Configuration
  * &#064;EnableRSocketSecurity
  * public class SecurityConfig {
  *     &#064;Bean
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java b/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java
index 7b68cf5de7..d8dd663b59 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/servlet/configuration/EnableWebMvcSecurity.java
@@ -22,7 +22,6 @@ import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
-import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.authentication.configuration.EnableGlobalAuthentication;
 
@@ -39,7 +38,6 @@ import org.springframework.security.config.annotation.authentication.configurati
 @Documented
 @Import(WebMvcSecurityConfiguration.class)
 @EnableGlobalAuthentication
-@Configuration
 @Deprecated
 public @interface EnableWebMvcSecurity {
 
diff --git a/config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java b/config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java
index de54b6d5ad..a9d22cd03b 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/issue50/SecurityConfig.java
@@ -39,9 +39,9 @@ import org.springframework.util.Assert;
  * @author Rob Winch
  *
  */
+@Configuration
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
-@Configuration
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
 	@Autowired
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java
index 74cebbe722..7fe9ea9fbe 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfigurationTests.java
@@ -531,8 +531,8 @@ public class GlobalMethodSecurityConfigurationTests {
 
 	}
 
-	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	@Configuration
+	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	public static class RoleHierarchyConfig {
 
 		@Bean
@@ -607,8 +607,8 @@ public class GlobalMethodSecurityConfigurationTests {
 
 	}
 
-	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	@Configuration
+	@EnableGlobalMethodSecurity(prePostEnabled = true)
 	public static class CustomMetadataSourceBeanProxyEnabledConfig extends GlobalMethodSecurityConfiguration {
 
 	}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityTests.java b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityTests.java
index 0eb0a63409..c6d8c84d09 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/method/configuration/NamespaceGlobalMethodSecurityTests.java
@@ -316,8 +316,8 @@ public class NamespaceGlobalMethodSecurityTests {
 
 	}
 
-	@EnableGlobalMethodSecurity(jsr250Enabled = true)
 	@Configuration
+	@EnableGlobalMethodSecurity(jsr250Enabled = true)
 	public static class Jsr250Config {
 
 	}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java
index 477d17f6ea..207b9c4315 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/AnonymousConfigurerTests.java
@@ -127,6 +127,7 @@ public class AnonymousConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class AnonymousDisabledInLambdaConfig extends WebSecurityConfigurerAdapter {
 
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java
index f269f2a6b6..8c53c2be8d 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpFormLoginTests.java
@@ -131,6 +131,7 @@ public class NamespaceHttpFormLoginTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class FormLoginCustomConfig extends WebSecurityConfigurerAdapter {
 
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.java
index b32dbc344f..369cb07e4d 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/X509ConfigurerTests.java
@@ -26,6 +26,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
@@ -151,6 +152,7 @@ public class X509ConfigurerTests {
 		}
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class ObjectPostProcessorConfig extends WebSecurityConfigurerAdapter {
 
@@ -180,6 +182,7 @@ public class X509ConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class DuplicateDoesNotOverrideConfig extends WebSecurityConfigurerAdapter {
 
@@ -205,6 +208,7 @@ public class X509ConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class DefaultsInLambdaConfig extends WebSecurityConfigurerAdapter {
 
@@ -227,6 +231,7 @@ public class X509ConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class SubjectPrincipalRegexInLambdaConfig extends WebSecurityConfigurerAdapter {
 
@@ -252,6 +257,7 @@ public class X509ConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class UserDetailsServiceBeanConfig {
 
@@ -279,6 +285,7 @@ public class X509ConfigurerTests {
 
 	}
 
+	@Configuration
 	@EnableWebSecurity
 	static class UserDetailsServiceAndBeanConfig {
 
diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/method/configuration/KotlinEnableReactiveMethodSecurityTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/method/configuration/KotlinEnableReactiveMethodSecurityTests.kt
index 5c491aeb2e..51613be92d 100644
--- a/config/src/test/kotlin/org/springframework/security/config/annotation/method/configuration/KotlinEnableReactiveMethodSecurityTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/annotation/method/configuration/KotlinEnableReactiveMethodSecurityTests.kt
@@ -210,8 +210,8 @@ class KotlinEnableReactiveMethodSecurityTests {
         verify { delegate wasNot Called }
     }
 
-    @EnableReactiveMethodSecurity
     @Configuration
+    @EnableReactiveMethodSecurity
     open class Config {
         var delegate = mockk<KotlinReactiveMessageService>()
 
diff --git a/config/src/test/kotlin/org/springframework/security/config/web/server/AuthorizeExchangeDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/web/server/AuthorizeExchangeDslTests.kt
index 834df18a80..d92b85f63a 100644
--- a/config/src/test/kotlin/org/springframework/security/config/web/server/AuthorizeExchangeDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/web/server/AuthorizeExchangeDslTests.kt
@@ -32,7 +32,7 @@ import org.springframework.test.web.reactive.server.WebTestClient
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.reactive.config.EnableWebFlux
-import java.util.*
+import java.util.Base64
 
 /**
  * Tests for [AuthorizeExchangeDsl]
diff --git a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
index ba76f683e9..0d20feeb54 100644
--- a/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
+++ b/docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
@@ -1,3 +1,4 @@
+
 [[jc-method]]
 = Method Security
 
@@ -32,6 +33,7 @@ For example, the following would enable Spring Security's `@PreAuthorize` annota
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity
 public class MethodSecurityConfig {
 	// ...
@@ -41,6 +43,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity
 class MethodSecurityConfig {
 	// ...
@@ -98,6 +101,7 @@ You can enable support for Spring Security's `@Secured` annotation using:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity(securedEnabled = true)
 public class MethodSecurityConfig {
 	// ...
@@ -107,6 +111,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity(securedEnabled = true)
 class MethodSecurityConfig {
 	// ...
@@ -127,6 +132,7 @@ or JSR-250 using:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity(jsr250Enabled = true)
 public class MethodSecurityConfig {
 	// ...
@@ -136,6 +142,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity(jsr250Enabled = true)
 class MethodSecurityConfig {
 	// ...
@@ -264,6 +271,7 @@ To recreate what adding `@EnableMethodSecurity` does by default, you would publi
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity(prePostEnabled = false)
 class MethodSecurityConfig {
 	@Bean
@@ -295,6 +303,7 @@ class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity(prePostEnabled = false)
 class MethodSecurityConfig {
 	@Bean
@@ -392,6 +401,7 @@ You may want to only support `@PreAuthorize` in your application, in which case
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity(prePostEnabled = false)
 class MethodSecurityConfig {
 	@Bean
@@ -405,6 +415,7 @@ class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity(prePostEnabled = false)
 class MethodSecurityConfig {
 	@Bean
@@ -440,6 +451,7 @@ Thus, you can configure Spring Security to invoke your `AuthorizationManager` in
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity
 class MethodSecurityConfig {
 	@Bean
@@ -458,6 +470,7 @@ class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity
 class MethodSecurityConfig {
 	@Bean
@@ -542,6 +555,7 @@ For example, if you have your own custom annotation, you can configure it like s
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableMethodSecurity
 class MethodSecurityConfig {
 	@Bean
@@ -558,6 +572,7 @@ class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableMethodSecurity
 class MethodSecurityConfig {
 	@Bean
@@ -607,6 +622,7 @@ The following example enables Spring Security's `@Secured` annotation:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(securedEnabled = true)
 public class MethodSecurityConfig {
 // ...
@@ -616,6 +632,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(securedEnabled = true)
 open class MethodSecurityConfig {
 	// ...
@@ -666,6 +683,7 @@ Support for JSR-250 annotations can be enabled by using:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(jsr250Enabled = true)
 public class MethodSecurityConfig {
 // ...
@@ -675,6 +693,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(jsr250Enabled = true)
 open class MethodSecurityConfig {
 	// ...
@@ -689,6 +708,7 @@ To use the new expression-based syntax, you would use:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class MethodSecurityConfig {
 // ...
@@ -698,6 +718,7 @@ public class MethodSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 open class MethodSecurityConfig {
 	// ...
@@ -750,6 +771,7 @@ For example, if you wanted to provide a custom `MethodSecurityExpressionHandler`
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
 	@Override
@@ -763,6 +785,7 @@ public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 open class MethodSecurityConfig : GlobalMethodSecurityConfiguration() {
     override fun createExpressionHandler(): MethodSecurityExpressionHandler {
diff --git a/docs/modules/ROOT/pages/servlet/configuration/java.adoc b/docs/modules/ROOT/pages/servlet/configuration/java.adoc
index f77e769ac7..d7e18d013f 100644
--- a/docs/modules/ROOT/pages/servlet/configuration/java.adoc
+++ b/docs/modules/ROOT/pages/servlet/configuration/java.adoc
@@ -324,6 +324,7 @@ You can also explicit disable the default:
 ====
 [source,java]
 ----
+@Configuration
 @EnableWebSecurity
 public class Config {
 	@Bean
diff --git a/docs/modules/ROOT/pages/servlet/exploits/headers.adoc b/docs/modules/ROOT/pages/servlet/exploits/headers.adoc
index 707e11e97f..b7de0428d7 100644
--- a/docs/modules/ROOT/pages/servlet/exploits/headers.adoc
+++ b/docs/modules/ROOT/pages/servlet/exploits/headers.adoc
@@ -887,6 +887,7 @@ You can enable the preceding permissions policy header using the following confi
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
@@ -919,6 +920,7 @@ public class WebSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class SecurityConfig {
 
@@ -958,6 +960,7 @@ You can send the preceding header on log out with the following configuration:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
@@ -976,6 +979,7 @@ public class WebSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class SecurityConfig {
 
@@ -1015,6 +1019,7 @@ Given the preceding header, you could add the headers to the response by using t
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
@@ -1045,6 +1050,7 @@ public class WebSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class SecurityConfig {
 
@@ -1074,6 +1080,7 @@ If you wanted to explicitly configure <<servlet-headers-frame-options>>, you cou
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
@@ -1110,6 +1117,7 @@ See https://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsi
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class SecurityConfig {
 
@@ -1141,6 +1149,7 @@ The following configuration example uses `DelegatingRequestMatcherHeaderWriter`:
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
@@ -1188,6 +1197,7 @@ public class WebSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class SecurityConfig {
 
diff --git a/docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc b/docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc
index d5f0376c08..14daff74de 100644
--- a/docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc
+++ b/docs/modules/ROOT/pages/servlet/oauth2/login/advanced.adoc
@@ -931,6 +931,7 @@ Also, you can configure `OidcClientInitiatedLogoutSuccessHandler`, which impleme
 .Java
 [source,java,role="primary"]
 ----
+@Configuration
 @EnableWebSecurity
 public class OAuth2LoginSecurityConfig {
 
@@ -966,6 +967,7 @@ public class OAuth2LoginSecurityConfig {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class OAuth2LoginSecurityConfig {
     @Autowired
diff --git a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc
index 0e901a6f5b..009c9250b7 100644
--- a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc
+++ b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc
@@ -757,6 +757,7 @@ public class DirectlyConfiguredJwkSetUri {
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
+@Configuration
 @EnableWebSecurity
 class DirectlyConfiguredJwkSetUri {
     @Bean
@@ -949,6 +950,7 @@ static class CustomAuthenticationConverter implements Converter<Jwt, AbstractAut
 
 // ...
 
+@Configuration
 @EnableWebSecurity
 public class CustomAuthenticationConverterConfig {
     @Bean
@@ -978,6 +980,7 @@ internal class CustomAuthenticationConverter : Converter<Jwt, AbstractAuthentica
 
 // ...
 
+@Configuration
 @EnableWebSecurity
 class CustomAuthenticationConverterConfig {
     @Bean