It appears that as of spring-boot-starter-rsocket-2.3.0.M1.pom it contains Spring Security dependencies that are being pulled in transitively. The dependencies are in 2.3.0.M2 and the latest 2.3.0.BUILD-SNAPSHOT:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<scope>compile</scope>
</dependency>
This means that simply adding the spring-boot-starter-rsocket triggers the Spring Boot auto configuration for Security.
This was originally brought to my attention because @joshlong was having difficulties doing a demo and asked for my help. I haven't investigated the scope of the problem, so it would probably be good to check if other dependencies are impacted.
Comment From: mbhave
Those dependencies are explicitly included in the build.gradle. They aren't in 2.2.x so I'm not sure if there was a reason for adding them in master or an oversight. Flagging for team attention to see if anyone remembers.
Comment From: bclozel
That's odd. I don't remember any decision around that. Probably a copy/paste issue during the Gradle migration?
Comment From: mbhave
Seems like that to me. Since you don't remember anything related to this either, I'll mark it as a bug.
Comment From: rwinch
Thanks for the quick turnaround on this!
Comment From: wilkinsona
🤦♂ Thanks for spotting and reporting this, @rwinch. Not quite sure how I managed that during the migration.
Comment From: rwinch
No problem. A migration of that size is going to have a few :man_facepalming: moments. Thanks again @mbhave for the fast turnaround :smile: