Move management web security concerns to spring-security module

Closes gh-46133

spring-boot-project/spring-boot-actuator-autoconfigure-all/build.gradle

@@ -17,7 +17,6 @@
 
 plugins {
 	id "java-library"
-	id "org.springframework.boot.auto-configuration"
 	id "org.springframework.boot.deployed"
 	id "org.springframework.boot.optional-dependencies"
 }
@@ -58,7 +57,7 @@ dependencies {
 	testImplementation(project(":spring-boot-project:spring-boot-tools:spring-boot-test-support"))
 	testImplementation(project(":spring-boot-project:spring-boot-webflux"))
 	testImplementation("org.springframework.security:spring-security-test")
-	
+
 	testRuntimeOnly("ch.qos.logback:logback-classic")
 }
 

spring-boot-project/spring-boot-actuator-autoconfigure-all/src/main/resources/META-INF/spring/org.springframework.boot.actuate.autoconfigure.web.ManagementContextConfiguration.imports

@@ -1 +0,0 @@
-org.springframework.boot.actuate.autoconfigure.security.servlet.SecurityRequestMatchersManagementContextConfiguration

spring-boot-project/spring-boot-actuator-autoconfigure-all/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports

@@ -1,2 +0,0 @@
-org.springframework.boot.actuate.autoconfigure.security.reactive.ReactiveManagementWebSecurityAutoConfiguration
-org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration

spring-boot-project/spring-boot-actuator-autoconfigure-all/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/JerseyEndpointIntegrationTests.java

@@ -28,11 +28,11 @@ import org.junit.jupiter.api.Test;
 import org.springframework.boot.actuate.autoconfigure.beans.BeansEndpointAutoConfiguration;
 import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAutoConfiguration;
 import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration;
-import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.actuate.autoconfigure.web.server.ManagementContextAutoConfiguration;
 import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
 import org.springframework.boot.jersey.autoconfigure.JerseyAutoConfiguration;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;

spring-boot-project/spring-boot-actuator-autoconfigure-all/src/test/resources/org/springframework/boot/actuate/autoconfigure/security/servlet/saml-certificate

@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEEzCCAvugAwIBAgIJAIc1qzLrv+5nMA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD
-VQQGEwJVUzELMAkGA1UECAwCQ08xFDASBgNVBAcMC0Nhc3RsZSBSb2NrMRwwGgYD
-VQQKDBNTYW1sIFRlc3RpbmcgU2VydmVyMQswCQYDVQQLDAJJVDEgMB4GA1UEAwwX
-c2ltcGxlc2FtbHBocC5jZmFwcHMuaW8xIDAeBgkqhkiG9w0BCQEWEWZoYW5pa0Bw
-aXZvdGFsLmlvMB4XDTE1MDIyMzIyNDUwM1oXDTI1MDIyMjIyNDUwM1owgZ8xCzAJ
-BgNVBAYTAlVTMQswCQYDVQQIDAJDTzEUMBIGA1UEBwwLQ2FzdGxlIFJvY2sxHDAa
-BgNVBAoME1NhbWwgVGVzdGluZyBTZXJ2ZXIxCzAJBgNVBAsMAklUMSAwHgYDVQQD
-DBdzaW1wbGVzYW1scGhwLmNmYXBwcy5pbzEgMB4GCSqGSIb3DQEJARYRZmhhbmlr
-QHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4cn62
-E1xLqpN34PmbrKBbkOXFjzWgJ9b+pXuaRft6A339uuIQeoeH5qeSKRVTl32L0gdz
-2ZivLwZXW+cqvftVW1tvEHvzJFyxeTW3fCUeCQsebLnA2qRa07RkxTo6Nf244mWW
-RDodcoHEfDUSbxfTZ6IExSojSIU2RnD6WllYWFdD1GFpBJOmQB8rAc8wJIBdHFdQ
-nX8Ttl7hZ6rtgqEYMzYVMuJ2F2r1HSU1zSAvwpdYP6rRGFRJEfdA9mm3WKfNLSc5
-cljz0X/TXy0vVlAV95l9qcfFzPmrkNIst9FZSwpvB49LyAVke04FQPPwLgVH4gph
-iJH3jvZ7I+J5lS8VAgMBAAGjUDBOMB0GA1UdDgQWBBTTyP6Cc5HlBJ5+ucVCwGc5
-ogKNGzAfBgNVHSMEGDAWgBTTyP6Cc5HlBJ5+ucVCwGc5ogKNGzAMBgNVHRMEBTAD
-AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAvMS4EQeP/ipV4jOG5lO6/tYCb/iJeAduO
-nRhkJk0DbX329lDLZhTTL/x/w/9muCVcvLrzEp6PN+VWfw5E5FWtZN0yhGtP9R+v
-ZnrV+oc2zGD+no1/ySFOe3EiJCO5dehxKjYEmBRv5sU/LZFKZpozKN/BMEa6CqLu
-xbzb7ykxVr7EVFXwltPxzE9TmL9OACNNyF5eJHWMRMllarUvkcXlh4pux4ks9e6z
-V9DQBy2zds9f1I3qxg0eX6JnGrXi/ZiCT+lJgVe3ZFXiejiLAiKB04sXW3ti0LW3
-lx13Y1YlQ4/tlpgTgfIJxKV6nyPiLoK0nywbMd+vpAirDt2Oc+hk
------END CERTIFICATE-----

spring-boot-project/spring-boot-docs/build.gradle

@@ -77,7 +77,6 @@ plugins.withType(EclipsePlugin) {
 dependencies {
 	autoConfiguration(project(path: ":spring-boot-project:spring-boot-activemq", configuration: "autoConfigurationMetadata"))
 	autoConfiguration(project(path: ":spring-boot-project:spring-boot-actuator-autoconfigure", configuration: "autoConfigurationMetadata"))
-	autoConfiguration(project(path: ":spring-boot-project:spring-boot-actuator-autoconfigure-all", configuration: "autoConfigurationMetadata"))
 	autoConfiguration(project(path: ":spring-boot-project:spring-boot-amqp", configuration: "autoConfigurationMetadata"))
 	autoConfiguration(project(path: ":spring-boot-project:spring-boot-artemis", configuration: "autoConfigurationMetadata"))
 	autoConfiguration(project(path: ":spring-boot-project:spring-boot-autoconfigure", configuration: "autoConfigurationMetadata"))
@@ -248,7 +247,6 @@ dependencies {
 
 	implementation(project(path: ":spring-boot-project:spring-boot-actuator"))
 	implementation(project(path: ":spring-boot-project:spring-boot-actuator-autoconfigure"))
-	implementation(project(path: ":spring-boot-project:spring-boot-actuator-autoconfigure-all"))
 	implementation(project(path: ":spring-boot-project:spring-boot-amqp"))
 	implementation(project(path: ":spring-boot-project:spring-boot-cache"))
 	implementation(project(path: ":spring-boot-project:spring-boot-data-cassandra"))

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/actuator/endpoints/security/exposeall/MySecurityConfiguration.java

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.actuator.endpoints.security.exposeall;
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

spring-boot-project/spring-boot-docs/src/main/java/org/springframework/boot/docs/actuator/endpoints/security/typical/MySecurityConfiguration.java

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.actuator.endpoints.security.typical;
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/actuator/endpoints/security/exposeall/MySecurityConfiguration.kt

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.actuator.endpoints.security.exposeall
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity

spring-boot-project/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/actuator/endpoints/security/typical/MySecurityConfiguration.kt

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.actuator.endpoints.security.typical
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.Customizer.withDefaults

spring-boot-project/spring-boot-security-oauth2-client/src/main/java/org/springframework/boot/security/oauth2/client/autoconfigure/reactive/ReactiveOAuth2ClientWebSecurityAutoConfiguration.java

@@ -23,6 +23,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.security.actuate.autoconfigure.reactive.ReactiveManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
@@ -42,7 +43,8 @@ import static org.springframework.security.config.Customizer.withDefaults;
  * @author Andy Wilkinson
  * @since 4.0.0
  */
-@AutoConfiguration(before = ReactiveSecurityAutoConfiguration.class,
+@AutoConfiguration(
+		before = { ReactiveManagementWebSecurityAutoConfiguration.class, ReactiveSecurityAutoConfiguration.class },
 		after = ReactiveOAuth2ClientAutoConfiguration.class)
 @ConditionalOnClass({ Flux.class, EnableWebFluxSecurity.class, ServerOAuth2AuthorizedClientRepository.class })
 @ConditionalOnBean(ReactiveOAuth2AuthorizedClientService.class)

spring-boot-project/spring-boot-security-oauth2-client/src/main/java/org/springframework/boot/security/oauth2/client/autoconfigure/servlet/OAuth2ClientWebSecurityAutoConfiguration.java

@@ -21,6 +21,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
 import org.springframework.boot.security.oauth2.client.autoconfigure.OAuth2ClientAutoConfiguration;
@@ -43,7 +44,8 @@ import static org.springframework.security.config.Customizer.withDefaults;
  * @author Andy Wilkinson
  * @since 3.5.0
  */
-@AutoConfiguration(before = SecurityAutoConfiguration.class, after = OAuth2ClientAutoConfiguration.class)
+@AutoConfiguration(before = { ManagementWebSecurityAutoConfiguration.class, SecurityAutoConfiguration.class },
+		after = OAuth2ClientAutoConfiguration.class)
 @ConditionalOnClass({ EnableWebSecurity.class, OAuth2AuthorizedClientRepository.class })
 @ConditionalOnBean(OAuth2AuthorizedClientService.class)
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)

spring-boot-project/spring-boot-security-oauth2-resource-server/build.gradle

@@ -36,9 +36,11 @@ dependencies {
 	optional(project(":spring-boot-project:spring-boot-reactor"))
 	optional("jakarta.servlet:jakarta.servlet-api")
 
+	testImplementation(project(":spring-boot-project:spring-boot-actuator-autoconfigure"))
 	testImplementation(project(":spring-boot-project:spring-boot-test"))
 	testImplementation(project(":spring-boot-project:spring-boot-tools:spring-boot-test-support"))
 	testImplementation(project(":spring-boot-project:spring-boot-webmvc"))
+	testImplementation(project(":spring-boot-project:spring-boot-webflux"))
 	testImplementation("com.fasterxml.jackson.core:jackson-databind")
 	testImplementation("com.squareup.okhttp3:mockwebserver")
 

spring-boot-project/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerAutoConfiguration.java

@@ -21,6 +21,7 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.security.actuate.autoconfigure.reactive.ReactiveManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties;
@@ -34,8 +35,8 @@ import org.springframework.security.config.annotation.web.reactive.EnableWebFlux
  * @author Madhura Bhave
  * @since 4.0.0
  */
-@AutoConfiguration(
-		before = { ReactiveSecurityAutoConfiguration.class, ReactiveUserDetailsServiceAutoConfiguration.class })
+@AutoConfiguration(before = { ReactiveManagementWebSecurityAutoConfiguration.class,
+		ReactiveSecurityAutoConfiguration.class, ReactiveUserDetailsServiceAutoConfiguration.class })
 @EnableConfigurationProperties(OAuth2ResourceServerProperties.class)
 @ConditionalOnClass({ EnableWebFluxSecurity.class })
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)

spring-boot-project/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/servlet/OAuth2ResourceServerAutoConfiguration.java

@@ -21,6 +21,7 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties;
@@ -33,7 +34,8 @@ import org.springframework.security.oauth2.server.resource.authentication.Bearer
  * @author Madhura Bhave
  * @since 4.0.0
  */
-@AutoConfiguration(before = { SecurityAutoConfiguration.class, UserDetailsServiceAutoConfiguration.class })
+@AutoConfiguration(before = { ManagementWebSecurityAutoConfiguration.class, SecurityAutoConfiguration.class,
+		UserDetailsServiceAutoConfiguration.class })
 @EnableConfigurationProperties(OAuth2ResourceServerProperties.class)
 @ConditionalOnClass(BearerTokenAuthenticationToken.class)
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)

spring-boot-project/spring-boot-security-oauth2-resource-server/src/test/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java

@@ -49,11 +49,14 @@ import org.mockito.InOrder;
 import reactor.core.publisher.Mono;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.security.actuate.autoconfigure.reactive.ReactiveManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.JwtConverterCustomizationsArgumentsProvider;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableReactiveWebApplicationContext;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
 import org.springframework.boot.testsupport.classpath.resources.WithResource;
+import org.springframework.boot.webflux.autoconfigure.WebFluxAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
@@ -705,6 +708,19 @@ class ReactiveOAuth2ResourceServerAutoConfigurationTests {
 			});
 	}
 
+	@Test
+	void causesReactiveManagementWebSecurityAutoConfigurationToBackOff() {
+		ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner()
+			.withConfiguration(AutoConfigurations.of(ReactiveManagementWebSecurityAutoConfiguration.class,
+					ReactiveOAuth2ResourceServerAutoConfiguration.class, ReactiveSecurityAutoConfiguration.class,
+					WebFluxAutoConfiguration.class));
+		contextRunner
+			.run((context) -> assertThat(context).hasSingleBean(ReactiveManagementWebSecurityAutoConfiguration.class));
+		contextRunner.withPropertyValues("spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://authserver")
+			.run((context) -> assertThat(context)
+				.doesNotHaveBean(ReactiveManagementWebSecurityAutoConfiguration.class));
+	}
+
 	private void assertFilterConfiguredWithJwtAuthenticationManager(AssertableReactiveWebApplicationContext context) {
 		MatcherSecurityWebFilterChain filterChain = (MatcherSecurityWebFilterChain) context
 			.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN);

spring-boot-project/spring-boot-security-oauth2-resource-server/src/test/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/servlet/OAuth2ResourceServerAutoConfigurationTests.java

@@ -47,6 +47,8 @@ import org.junit.jupiter.params.provider.ArgumentsSource;
 import org.mockito.InOrder;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.JwtConverterCustomizationsArgumentsProvider;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
@@ -98,6 +100,8 @@ import static org.mockito.Mockito.mock;
  */
 class OAuth2ResourceServerAutoConfigurationTests {
 
+	private static final String MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN = "managementSecurityFilterChain";
+
 	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
 		.withConfiguration(AutoConfigurations.of(OAuth2ResourceServerAutoConfiguration.class))
 		.withUserConfiguration(TestConfig.class);
@@ -718,6 +722,18 @@ class OAuth2ResourceServerAutoConfigurationTests {
 			});
 	}
 
+	@Test
+	void causesManagementWebSecurityAutoConfigurationToBackOff() {
+		WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
+			.withConfiguration(AutoConfigurations.of(ManagementWebSecurityAutoConfiguration.class,
+					OAuth2ResourceServerAutoConfiguration.class, SecurityAutoConfiguration.class,
+					WebMvcAutoConfiguration.class));
+		contextRunner.run((context) -> assertThat(context).hasSingleBean(ManagementWebSecurityAutoConfiguration.class));
+		contextRunner.withPropertyValues("spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://authserver")
+			.run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class)
+				.doesNotHaveBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN));
+	}
+
 	private Filter getBearerTokenFilter(AssertableWebApplicationContext context) {
 		FilterChainProxy filterChain = (FilterChainProxy) context.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN);
 		List<SecurityFilterChain> filterChains = filterChain.getFilterChains();

spring-boot-project/spring-boot-security-saml2/build.gradle

@@ -41,6 +41,7 @@ dependencies {
 
 	optional(project(":spring-boot-project:spring-boot-autoconfigure"))
 
+    testImplementation(project(":spring-boot-project:spring-boot-actuator-autoconfigure"))
 	testImplementation(project(":spring-boot-project:spring-boot-test"))
 	testImplementation(project(":spring-boot-project:spring-boot-tools:spring-boot-test-support"))
 	testImplementation(project(":spring-boot-project:spring-boot-webmvc"))

spring-boot-project/spring-boot-security-saml2/src/main/java/org/springframework/boot/security/saml2/autoconfigure/Saml2RelyingPartyAutoConfiguration.java

@@ -21,6 +21,7 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
@@ -32,7 +33,7 @@ import org.springframework.security.saml2.provider.service.registration.RelyingP
  * @author Madhura Bhave
  * @since 4.0.0
  */
-@AutoConfiguration(before = SecurityAutoConfiguration.class)
+@AutoConfiguration(before = { SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class })
 @ConditionalOnClass(RelyingPartyRegistrationRepository.class)
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
 @Import({ Saml2RelyingPartyRegistrationConfiguration.class, Saml2LoginConfiguration.class })

spring-boot-project/spring-boot-security-saml2/src/test/java/org/springframework/boot/security/saml2/autoconfigure/Saml2RelyingPartyAutoConfigurationTests.java

@@ -26,6 +26,7 @@ import okio.Buffer;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
@@ -65,6 +66,8 @@ class Saml2RelyingPartyAutoConfigurationTests {
 
 	private static final String PREFIX = "spring.security.saml2.relyingparty.registration";
 
+	private static final String MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN = "managementSecurityFilterChain";
+
 	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner().withConfiguration(
 			AutoConfigurations.of(Saml2RelyingPartyAutoConfiguration.class, SecurityAutoConfiguration.class));
 
@@ -325,6 +328,22 @@ class Saml2RelyingPartyAutoConfigurationTests {
 				.hasMessageContaining("Missing certificates or unrecognized format"));
 	}
 
+	@Test
+	@WithPackageResources("certificate-location")
+	void causesManagementWebSecurityAutoConfigurationToBackOff() {
+		WebApplicationContextRunner contextRunner = this.contextRunner.withConfiguration(
+				AutoConfigurations.of(ManagementWebSecurityAutoConfiguration.class, WebMvcAutoConfiguration.class));
+		assertThat(contextRunner
+			.run((context) -> assertThat(context).hasSingleBean(ManagementWebSecurityAutoConfiguration.class)));
+		contextRunner.withPropertyValues(PREFIX
+				+ ".simplesamlphp.assertingparty.single-sign-on.url=https://simplesaml-for-spring-saml/SSOService.php",
+				PREFIX + ".simplesamlphp.assertingparty.single-sign-on.sign-request=false",
+				PREFIX + ".simplesamlphp.assertingparty.entity-id=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php",
+				PREFIX + ".simplesamlphp.assertingparty.verification.credentials[0].certificate-location=classpath:certificate-location")
+			.run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class)
+				.doesNotHaveBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN));
+	}
+
 	private void testMultipleProviders(String specifiedEntityId, String expected) throws Exception {
 		try (MockWebServer server = new MockWebServer()) {
 			server.start();

spring-boot-project/spring-boot-security/build.gradle

@@ -38,11 +38,14 @@ dependencies {
 	api("org.springframework.security:spring-security-config")
 	api("org.springframework.security:spring-security-web")
 
+	optional(project(":spring-boot-project:spring-boot-actuator-autoconfigure"))
 	optional(project(":spring-boot-project:spring-boot-autoconfigure"))
 	optional(project(":spring-boot-project:spring-boot-h2console"))
+	optional(project(":spring-boot-project:spring-boot-jersey"))
 	optional(project(":spring-boot-project:spring-boot-reactor"))
 	optional(project(":spring-boot-project:spring-boot-rsocket"))
 	optional(project(":spring-boot-project:spring-boot-webmvc"))
+	optional(project(":spring-boot-project:spring-boot-webflux"))
 	optional(project(":spring-boot-project:spring-boot-web-server"))
 	optional("jakarta.servlet:jakarta.servlet-api")
 	optional("org.springframework:spring-messaging")
@@ -71,3 +74,7 @@ dependencies {
 	testRuntimeOnly("com.zaxxer:HikariCP")
 	testRuntimeOnly("org.hsqldb:hsqldb")
 }
+
+tasks.named("test") {
+	jvmArgs += "--add-opens=java.base/java.net=ALL-UNNAMED"
+}

spring-boot-project/spring-boot-security/src/main/java/org/springframework/boot/security/actuate/autoconfigure/reactive/EndpointRequest.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.reactive;
+package org.springframework.boot.security.actuate.autoconfigure.reactive;
 
 import java.util.ArrayList;
 import java.util.Arrays;

spring-boot-project/spring-boot-security/src/main/java/org/springframework/boot/security/actuate/autoconfigure/reactive/ReactiveManagementWebSecurityAutoConfiguration.java

@@ -14,13 +14,11 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.reactive;
+package org.springframework.boot.security.actuate.autoconfigure.reactive;
 
 import reactor.core.publisher.Mono;
 
 import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration;
-import org.springframework.boot.actuate.autoconfigure.health.HealthEndpointAutoConfiguration;
-import org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
 import org.springframework.boot.actuate.health.HealthEndpoint;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
@@ -28,6 +26,8 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
@@ -51,15 +51,12 @@ import static org.springframework.security.config.Customizer.withDefaults;
  * @author Madhura Bhave
  * @since 2.1.0
  */
-@AutoConfiguration(
-		beforeName = "org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration",
-		after = { HealthEndpointAutoConfiguration.class, InfoEndpointAutoConfiguration.class,
-				WebEndpointAutoConfiguration.class },
-		afterName = {
-				"org.springframework.boot.security.oauth2.client.autoconfigure.reactive.ReactiveOAuth2ClientWebSecurityAutoConfiguration",
-				"org.springframework.boot.security.oauth2.server.resource.autoconfigure.reactive.ReactiveOAuth2ResourceServerAutoConfiguration",
-				"org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration" })
-@ConditionalOnClass({ EnableWebFluxSecurity.class, WebFilterChainProxy.class })
+@AutoConfiguration(before = ReactiveSecurityAutoConfiguration.class,
+		after = ReactiveUserDetailsServiceAutoConfiguration.class,
+		afterName = { "org.springframework.boot.actuate.autoconfigure.health.HealthEndpointAutoConfiguration",
+				"org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration",
+				"org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration" })
+@ConditionalOnClass({ EnableWebFluxSecurity.class, WebFilterChainProxy.class, WebEndpointAutoConfiguration.class })
 @ConditionalOnMissingBean({ SecurityWebFilterChain.class, WebFilterChainProxy.class })
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
 public class ReactiveManagementWebSecurityAutoConfiguration {

spring-boot-project/spring-boot-security/src/main/java/org/springframework/boot/security/actuate/autoconfigure/reactive/package-info.java

@@ -17,4 +17,4 @@
 /**
  * Auto-configuration for actuator security using WebFlux.
  */
-package org.springframework.boot.actuate.autoconfigure.security.reactive;
+package org.springframework.boot.security.actuate.autoconfigure.reactive;

spring-boot-project/spring-boot-security/src/main/java/org/springframework/boot/security/actuate/autoconfigure/servlet/EndpointRequest.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
 import java.util.ArrayList;
 import java.util.Arrays;

spring-boot-project/spring-boot-security/src/main/java/org/springframework/boot/security/actuate/autoconfigure/servlet/ManagementWebSecurityAutoConfiguration.java

@@ -14,10 +14,9 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
-import org.springframework.boot.actuate.autoconfigure.health.HealthEndpointAutoConfiguration;
-import org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration;
+import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
 import org.springframework.boot.actuate.health.HealthEndpoint;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
@@ -26,6 +25,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.security.autoconfigure.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.security.autoconfigure.SecurityProperties;
+import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.core.annotation.Order;
 import org.springframework.core.env.Environment;
@@ -47,14 +47,11 @@ import static org.springframework.security.config.Customizer.withDefaults;
  * @author Hatef Palizgar
  * @since 2.1.0
  */
-@AutoConfiguration(beforeName = "org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration",
-		after = { HealthEndpointAutoConfiguration.class, InfoEndpointAutoConfiguration.class },
-		afterName = {
-				"org.springframework.boot.security.oauth2.client.autoconfigure.servlet.OAuth2ClientWebSecurityAutoConfiguration",
-				"org.springframework.boot.security.oauth2.server.resource.autoconfigure.servlet.OAuth2ResourceServerAutoConfiguration",
-				"org.springframework.boot.security.saml2.autoconfigure.Saml2RelyingPartyAutoConfiguration" })
+@AutoConfiguration(before = SecurityAutoConfiguration.class,
+		afterName = { "org.springframework.boot.actuate.autoconfigure.health.HealthEndpointAutoConfiguration",
+				"org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration" })
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
-@ConditionalOnClass(RequestMatcher.class)
+@ConditionalOnClass({ RequestMatcher.class, WebEndpointAutoConfiguration.class })
 @ConditionalOnDefaultWebSecurity
 public class ManagementWebSecurityAutoConfiguration {
 

spring-boot-project/spring-boot-security/src/main/java/org/springframework/boot/security/actuate/autoconfigure/servlet/PathPatternRequestMatcherProvider.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
 import java.util.function.Function;
 

spring-boot-project/spring-boot-security/src/main/java/org/springframework/boot/security/actuate/autoconfigure/servlet/RequestMatcherProvider.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
 import org.springframework.http.HttpMethod;
 import org.springframework.security.web.util.matcher.RequestMatcher;

spring-boot-project/spring-boot-security/src/main/java/org/springframework/boot/security/actuate/autoconfigure/servlet/SecurityRequestMatchersManagementContextConfiguration.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
 import org.glassfish.jersey.server.ResourceConfig;
 

spring-boot-project/spring-boot-security/src/main/java/org/springframework/boot/security/actuate/autoconfigure/servlet/package-info.java

@@ -17,4 +17,4 @@
 /**
  * Auto-configuration for actuator security using Spring MVC.
  */
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;

spring-boot-project/spring-boot-security/src/main/resources/META-INF/spring/org.springframework.boot.actuate.autoconfigure.web.ManagementContextConfiguration.imports

@@ -0,0 +1 @@
+org.springframework.boot.security.actuate.autoconfigure.servlet.SecurityRequestMatchersManagementContextConfiguration

spring-boot-project/spring-boot-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports

@@ -1,6 +1,8 @@
+org.springframework.boot.security.actuate.autoconfigure.reactive.ReactiveManagementWebSecurityAutoConfiguration
+org.springframework.boot.security.actuate.autoconfigure.servlet.ManagementWebSecurityAutoConfiguration
 org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration
 org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration
 org.springframework.boot.security.autoconfigure.rsocket.RSocketSecurityAutoConfiguration
 org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration
 org.springframework.boot.security.autoconfigure.servlet.SecurityFilterAutoConfiguration
-org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration
+org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration

spring-boot-project/spring-boot-security/src/test/java/org/springframework/boot/security/actuate/autoconfigure/reactive/EndpointRequestIntegrationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.reactive;
+package org.springframework.boot.security.actuate.autoconfigure.reactive;
 
 import java.time.Duration;
 import java.util.Base64;

spring-boot-project/spring-boot-security/src/test/java/org/springframework/boot/security/actuate/autoconfigure/reactive/EndpointRequestTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.reactive;
+package org.springframework.boot.security.actuate.autoconfigure.reactive;
 
 import java.time.Duration;
 import java.util.ArrayList;

spring-boot-project/spring-boot-security/src/test/java/org/springframework/boot/security/actuate/autoconfigure/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.reactive;
+package org.springframework.boot.security.actuate.autoconfigure.reactive;
 
 import java.net.URI;
 import java.time.Duration;
@@ -32,7 +32,6 @@ import org.springframework.boot.actuate.autoconfigure.health.HealthEndpointAutoC
 import org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration;
 import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
-import org.springframework.boot.security.oauth2.server.resource.autoconfigure.reactive.ReactiveOAuth2ResourceServerAutoConfiguration;
 import org.springframework.boot.test.context.assertj.AssertableReactiveWebApplicationContext;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
 import org.springframework.boot.webflux.autoconfigure.WebFluxAutoConfiguration;
@@ -143,14 +142,6 @@ class ReactiveManagementWebSecurityAutoConfigurationTests {
 		});
 	}
 
-	@Test
-	void backOffIfReactiveOAuth2ResourceServerAutoConfigurationPresent() {
-		this.contextRunner.withConfiguration(AutoConfigurations.of(ReactiveOAuth2ResourceServerAutoConfiguration.class))
-			.withPropertyValues("spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://authserver")
-			.run((context) -> assertThat(context)
-				.doesNotHaveBean(ReactiveManagementWebSecurityAutoConfiguration.class));
-	}
-
 	@Test
 	void backsOffWhenWebFilterChainProxyBeanPresent() {
 		this.contextRunner.withUserConfiguration(WebFilterChainProxyConfiguration.class).run((context) -> {

spring-boot-project/spring-boot-security/src/test/java/org/springframework/boot/security/actuate/autoconfigure/servlet/AbstractEndpointRequestIntegrationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
 import java.io.IOException;
 import java.time.Duration;

spring-boot-project/spring-boot-security/src/test/java/org/springframework/boot/security/actuate/autoconfigure/servlet/EndpointRequestTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -25,8 +25,6 @@ import org.assertj.core.api.AssertDelegateTarget;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointProperties;
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest.AdditionalPathsEndpointRequestMatcher;
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest.EndpointRequestMatcher;
 import org.springframework.boot.actuate.endpoint.EndpointId;
 import org.springframework.boot.actuate.endpoint.ExposableEndpoint;
 import org.springframework.boot.actuate.endpoint.Operation;
@@ -34,6 +32,8 @@ import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest.AdditionalPathsEndpointRequestMatcher;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest.EndpointRequestMatcher;
 import org.springframework.boot.web.server.WebServer;
 import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.http.HttpMethod;

spring-boot-project/spring-boot-security/src/test/java/org/springframework/boot/security/actuate/autoconfigure/servlet/JerseyEndpointRequestIntegrationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
 import org.glassfish.jersey.server.ResourceConfig;
 import org.junit.jupiter.api.Test;

spring-boot-project/spring-boot-security/src/test/java/org/springframework/boot/security/actuate/autoconfigure/servlet/ManagementWebSecurityAutoConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
 import java.io.IOException;
 import java.util.List;
@@ -31,12 +31,9 @@ import org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfi
 import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.security.autoconfigure.SecurityProperties;
 import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
-import org.springframework.boot.security.oauth2.server.resource.autoconfigure.servlet.OAuth2ResourceServerAutoConfiguration;
-import org.springframework.boot.security.saml2.autoconfigure.Saml2RelyingPartyAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
-import org.springframework.boot.testsupport.classpath.resources.WithPackageResources;
 import org.springframework.boot.web.context.servlet.AnnotationConfigServletWebApplicationContext;
 import org.springframework.boot.web.server.WebServer;
 import org.springframework.boot.web.server.context.WebServerApplicationContext;
@@ -135,27 +132,6 @@ class ManagementWebSecurityAutoConfigurationTests {
 		});
 	}
 
-	@Test
-	void backOffIfOAuth2ResourceServerAutoConfigurationPresent() {
-		this.contextRunner.withConfiguration(AutoConfigurations.of(OAuth2ResourceServerAutoConfiguration.class))
-			.withPropertyValues("spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://authserver")
-			.run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class)
-				.doesNotHaveBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN));
-	}
-
-	@Test
-	@WithPackageResources("saml-certificate")
-	void backOffIfSaml2RelyingPartyAutoConfigurationPresent() {
-		this.contextRunner.withConfiguration(AutoConfigurations.of(Saml2RelyingPartyAutoConfiguration.class))
-			.withPropertyValues(
-					"spring.security.saml2.relyingparty.registration.simplesamlphp.assertingparty.single-sign-on.url=https://simplesaml-for-spring-saml/SSOService.php",
-					"spring.security.saml2.relyingparty.registration.simplesamlphp.assertingparty.single-sign-on.sign-request=false",
-					"spring.security.saml2.relyingparty.registration.simplesamlphp.assertingparty.entity-id=https://simplesaml-for-spring-saml.cfapps.io/saml2/idp/metadata.php",
-					"spring.security.saml2.relyingparty.registration.simplesamlphp.assertingparty.verification.credentials[0].certificate-location=classpath:saml-certificate")
-			.run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class)
-				.doesNotHaveBean(MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN));
-	}
-
 	@Test
 	void backOffIfRemoteDevToolsSecurityFilterChainIsPresent() {
 		this.contextRunner.withUserConfiguration(TestRemoteDevToolsSecurityFilterChainConfig.class).run((context) -> {

spring-boot-project/spring-boot-security/src/test/java/org/springframework/boot/security/actuate/autoconfigure/servlet/MvcEndpointRequestIntegrationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
 import org.junit.jupiter.api.Test;
 

spring-boot-project/spring-boot-security/src/test/java/org/springframework/boot/security/actuate/autoconfigure/servlet/SecurityRequestMatchersManagementContextConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.security.servlet;
+package org.springframework.boot.security.actuate.autoconfigure.servlet;
 
 import org.junit.jupiter.api.Test;
 

spring-boot-project/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/servlet/SecurityFilterAutoConfigurationEarlyInitializationTests.java

@@ -35,6 +35,7 @@ import org.springframework.boot.test.system.CapturedOutput;
 import org.springframework.boot.test.system.OutputCaptureExtension;
 import org.springframework.boot.test.util.TestPropertyValues;
 import org.springframework.boot.testsupport.classpath.ClassPathExclusions;
+import org.springframework.boot.testsupport.web.servlet.DirtiesUrlFactories;
 import org.springframework.boot.tomcat.servlet.TomcatServletWebServerFactory;
 import org.springframework.boot.web.server.servlet.context.AnnotationConfigServletWebServerApplicationContext;
 import org.springframework.boot.web.server.test.client.TestRestTemplate;
@@ -58,6 +59,7 @@ import static org.assertj.core.api.Assertions.assertThat;
  * @author Phillip Webb
  */
 @ExtendWith(OutputCaptureExtension.class)
+@DirtiesUrlFactories
 class SecurityFilterAutoConfigurationEarlyInitializationTests {
 
 	private static final Pattern PASSWORD_PATTERN = Pattern.compile("^Using generated security password: (.*)$",

spring-boot-project/spring-boot-test-autoconfigure/src/test/java/org/springframework/boot/test/autoconfigure/restdocs/RestDocsTestApplication.java

@@ -16,9 +16,9 @@
 
 package org.springframework.boot.test.autoconfigure.restdocs;
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.cassandra.autoconfigure.CassandraAutoConfiguration;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
 
 /**

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java

@@ -19,8 +19,8 @@ package smoketest.actuator.customsecurity;
 import java.util.ArrayList;
 import java.util.List;
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.boot.actuate.web.mappings.MappingsEndpoint;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest;
 import org.springframework.boot.security.autoconfigure.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-jersey/src/main/java/smoketest/secure/jersey/SecurityConfiguration.java

@@ -16,8 +16,8 @@
 
 package smoketest.secure.jersey;
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.boot.actuate.web.mappings.MappingsEndpoint;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/ManagementPortSampleSecureWebFluxTests.java

@@ -21,8 +21,8 @@ import java.util.Base64;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest;
 import org.springframework.boot.actuate.web.mappings.MappingsEndpoint;
+import org.springframework.boot.security.actuate.autoconfigure.reactive.EndpointRequest;
 import org.springframework.boot.security.autoconfigure.reactive.PathRequest;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-secure-webflux/src/test/java/smoketest/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java

@@ -21,8 +21,8 @@ import java.util.Base64;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest;
 import org.springframework.boot.actuate.web.mappings.MappingsEndpoint;
+import org.springframework.boot.security.actuate.autoconfigure.reactive.EndpointRequest;
 import org.springframework.boot.security.autoconfigure.reactive.PathRequest;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.Bean;

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-hazelcast/src/main/java/smoketest/session/hazelcast/SecurityConfiguration.java

@@ -16,8 +16,8 @@
 
 package smoketest.session.hazelcast;
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.boot.actuate.health.HealthEndpoint;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-jdbc/src/main/java/smoketest/session/SecurityConfiguration.java

@@ -16,8 +16,8 @@
 
 package smoketest.session;
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.boot.actuate.health.HealthEndpoint;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-mongo/src/main/java/smoketest/session/mongodb/SecurityConfiguration.java

@@ -16,8 +16,8 @@
 
 package smoketest.session.mongodb;
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.boot.actuate.health.HealthEndpoint;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-session-redis/src/main/java/smoketest/session/redis/SecurityConfiguration.java

@@ -16,8 +16,8 @@
 
 package smoketest.session.redis;
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.boot.actuate.health.HealthEndpoint;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

spring-boot-tests/spring-boot-smoke-tests/spring-boot-smoke-test-web-method-security/src/main/java/smoketest/security/method/SampleMethodSecurityApplication.java

@@ -18,9 +18,9 @@ package smoketest.security.method;
 
 import jakarta.servlet.DispatcherType;
 
-import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.security.actuate.autoconfigure.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;