Refactor security auto-configuration package structure

Refactor security auto-configuration package structure and classes to
create distinct web configurations.

Closes gh-14412

documentation/spring-boot-docs/src/docs/antora/modules/reference/pages/web/spring-security.adoc

@@ -35,8 +35,8 @@ You can provide a different javadoc:org.springframework.security.authentication.
 [[web.security.spring-mvc]]
 == MVC Security
 
-The default security configuration is implemented in javadoc:org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration[] and javadoc:org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration[].
+The default security configuration is implemented in javadoc:org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration[] and javadoc:org.springframework.boot.security.autoconfigure.UserDetailsServiceAutoConfiguration[].
-javadoc:org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration[] imports `SpringBootWebSecurityConfiguration` for web security and javadoc:org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration[] for authentication.
+javadoc:org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration[] imports `SpringBootWebSecurityConfiguration` for web security and javadoc:org.springframework.boot.security.autoconfigure.UserDetailsServiceAutoConfiguration[] for authentication.
 
 To completely switch off the default web application security configuration, including Actuator security, or to combine multiple Spring Security components such as OAuth2 Client and Resource Server, add a bean of type javadoc:org.springframework.security.web.SecurityFilterChain[] (doing so does not disable the javadoc:org.springframework.security.core.userdetails.UserDetailsService[] configuration).
 To also switch off the javadoc:org.springframework.security.core.userdetails.UserDetailsService[] configuration, add a bean of type javadoc:org.springframework.security.core.userdetails.UserDetailsService[], javadoc:org.springframework.security.authentication.AuthenticationProvider[], or javadoc:org.springframework.security.authentication.AuthenticationManager[].
@@ -52,7 +52,7 @@ To use javadoc:org.springframework.security.core.userdetails.UserDetailsService[
 Access rules can be overridden by adding a custom javadoc:org.springframework.security.web.SecurityFilterChain[] bean.
 Spring Boot provides convenience methods that can be used to override access rules for actuator endpoints and static resources.
 javadoc:org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest[] can be used to create a javadoc:org.springframework.security.web.util.matcher.RequestMatcher[] that is based on the configprop:management.endpoints.web.base-path[] property.
-javadoc:org.springframework.boot.security.autoconfigure.servlet.PathRequest[] can be used to create a javadoc:org.springframework.security.web.util.matcher.RequestMatcher[] for resources in commonly used locations.
+javadoc:org.springframework.boot.security.autoconfigure.web.servlet.PathRequest[] can be used to create a javadoc:org.springframework.security.web.util.matcher.RequestMatcher[] for resources in commonly used locations.
 
 
 
@@ -60,8 +60,8 @@ javadoc:org.springframework.boot.security.autoconfigure.servlet.PathRequest[] ca
 == WebFlux Security
 
 Similar to Spring MVC applications, you can secure your WebFlux applications by adding the `spring-boot-starter-security` dependency.
-The default security configuration is implemented in javadoc:org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration[] and javadoc:org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration[].
+The default security configuration is implemented in javadoc:org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration[] and javadoc:org.springframework.boot.security.autoconfigure.ReactiveUserDetailsServiceAutoConfiguration[].
-javadoc:org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration[] imports `WebFluxSecurityConfiguration` for web security and javadoc:org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration[] for authentication.
+javadoc:org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration[] imports `WebFluxSecurityConfiguration` for web security and javadoc:org.springframework.boot.security.autoconfigure.ReactiveUserDetailsServiceAutoConfiguration[] for authentication.
 In addition to reactive web applications, the latter is also auto-configured when RSocket is in use.
 
 To completely switch off the default web application security configuration, including Actuator security, add a bean of type javadoc:org.springframework.security.web.server.WebFilterChainProxy[] (doing so does not disable the javadoc:org.springframework.security.core.userdetails.ReactiveUserDetailsService[] configuration).

documentation/spring-boot-docs/src/main/java/org/springframework/boot/docs/actuator/endpoints/security/exposeall/MySecurityConfiguration.java

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.actuator.endpoints.security.exposeall;
 
-import org.springframework.boot.security.autoconfigure.actuate.servlet.EndpointRequest;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

documentation/spring-boot-docs/src/main/java/org/springframework/boot/docs/actuator/endpoints/security/typical/MySecurityConfiguration.java

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.actuator.endpoints.security.typical;
 
-import org.springframework.boot.security.autoconfigure.actuate.servlet.EndpointRequest;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

documentation/spring-boot-docs/src/main/java/org/springframework/boot/docs/data/sql/h2webconsole/springsecurity/DevProfileSecurityConfiguration.java

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.data.sql.h2webconsole.springsecurity;
 
-import org.springframework.boot.security.autoconfigure.servlet.PathRequest;
+import org.springframework.boot.security.autoconfigure.web.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;

documentation/spring-boot-docs/src/main/java/org/springframework/boot/docs/web/security/springwebflux/MyWebFluxSecurityConfiguration.java

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.web.security.springwebflux;
 
-import org.springframework.boot.security.autoconfigure.reactive.PathRequest;
+import org.springframework.boot.security.autoconfigure.web.reactive.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.web.server.ServerHttpSecurity;

documentation/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/actuator/endpoints/security/exposeall/MySecurityConfiguration.kt

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.actuator.endpoints.security.exposeall
 
-import org.springframework.boot.security.autoconfigure.actuate.servlet.EndpointRequest
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.EndpointRequest
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity

documentation/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/actuator/endpoints/security/typical/MySecurityConfiguration.kt

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.actuator.endpoints.security.typical
 
-import org.springframework.boot.security.autoconfigure.actuate.servlet.EndpointRequest
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.EndpointRequest
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.Customizer.withDefaults

documentation/spring-boot-docs/src/main/kotlin/org/springframework/boot/docs/web/security/springwebflux/MyWebFluxSecurityConfiguration.kt

@@ -16,7 +16,7 @@
 
 package org.springframework.boot.docs.web.security.springwebflux
 
-import org.springframework.boot.security.autoconfigure.reactive.PathRequest
+import org.springframework.boot.security.autoconfigure.web.reactive.PathRequest
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.Customizer.withDefaults

module/spring-boot-cloudfoundry/src/test/java/org/springframework/boot/cloudfoundry/autoconfigure/actuate/endpoint/reactive/CloudFoundryReactiveActuatorAutoConfigurationTests.java

@@ -54,7 +54,7 @@ import org.springframework.boot.health.autoconfigure.contributor.HealthContribut
 import org.springframework.boot.health.autoconfigure.registry.HealthContributorRegistryAutoConfiguration;
 import org.springframework.boot.http.converter.autoconfigure.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.boot.ssl.SslBundle;
 import org.springframework.boot.ssl.jks.JksSslStoreBundle;
 import org.springframework.boot.ssl.jks.JksSslStoreDetails;
@@ -97,7 +97,7 @@ class CloudFoundryReactiveActuatorAutoConfigurationTests {
 	private static final String V3_JSON = ApiVersion.V3.getProducedMimeType().toString();
 
 	private final ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner()
-		.withConfiguration(AutoConfigurations.of(ReactiveSecurityAutoConfiguration.class,
+		.withConfiguration(AutoConfigurations.of(ReactiveWebSecurityAutoConfiguration.class,
 				WebFluxAutoConfiguration.class, JacksonAutoConfiguration.class,
 				HttpMessageConvertersAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class,
 				WebClientCustomizerConfig.class, WebClientAutoConfiguration.class,

module/spring-boot-cloudfoundry/src/test/java/org/springframework/boot/cloudfoundry/autoconfigure/actuate/endpoint/reactive/CloudFoundryReactiveHealthEndpointWebExtensionTests.java

@@ -38,7 +38,7 @@ import org.springframework.boot.health.contributor.Health;
 import org.springframework.boot.health.contributor.HealthIndicator;
 import org.springframework.boot.http.converter.autoconfigure.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
 import org.springframework.boot.webclient.autoconfigure.WebClientAutoConfiguration;
 import org.springframework.boot.webflux.autoconfigure.WebFluxAutoConfiguration;
@@ -58,7 +58,7 @@ class CloudFoundryReactiveHealthEndpointWebExtensionTests {
 
 	private final ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner()
 		.withPropertyValues("VCAP_APPLICATION={}")
-		.withConfiguration(AutoConfigurations.of(ReactiveSecurityAutoConfiguration.class,
+		.withConfiguration(AutoConfigurations.of(ReactiveWebSecurityAutoConfiguration.class,
 				WebFluxAutoConfiguration.class, JacksonAutoConfiguration.class,
 				HttpMessageConvertersAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class,
 				CloudFoundryReactiveActuatorAutoConfigurationTests.WebClientCustomizerConfig.class,

module/spring-boot-cloudfoundry/src/test/java/org/springframework/boot/cloudfoundry/autoconfigure/actuate/endpoint/servlet/CloudFoundryActuatorAutoConfigurationTests.java

@@ -43,7 +43,8 @@ import org.springframework.boot.health.autoconfigure.registry.HealthContributorR
 import org.springframework.boot.http.converter.autoconfigure.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
 import org.springframework.boot.restclient.autoconfigure.RestTemplateAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
 import org.springframework.boot.servlet.autoconfigure.actuate.web.ServletManagementContextAutoConfiguration;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
@@ -82,7 +83,8 @@ class CloudFoundryActuatorAutoConfigurationTests {
 	private static final String BASE_PATH = "/cloudfoundryapplication";
 
 	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
-		.withConfiguration(AutoConfigurations.of(SecurityAutoConfiguration.class, WebMvcAutoConfiguration.class,
+		.withConfiguration(AutoConfigurations.of(SecurityAutoConfiguration.class,
+				ServletWebSecurityAutoConfiguration.class, WebMvcAutoConfiguration.class,
 				JacksonAutoConfiguration.class, DispatcherServletAutoConfiguration.class,
 				HttpMessageConvertersAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class,
 				RestTemplateAutoConfiguration.class, ManagementContextAutoConfiguration.class,

module/spring-boot-cloudfoundry/src/test/java/org/springframework/boot/cloudfoundry/autoconfigure/actuate/endpoint/servlet/CloudFoundryHealthEndpointWebExtensionTests.java

@@ -37,7 +37,8 @@ import org.springframework.boot.health.contributor.HealthIndicator;
 import org.springframework.boot.http.converter.autoconfigure.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
 import org.springframework.boot.restclient.autoconfigure.RestTemplateAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
 import org.springframework.boot.servlet.autoconfigure.actuate.web.ServletManagementContextAutoConfiguration;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
 import org.springframework.boot.webmvc.autoconfigure.DispatcherServletAutoConfiguration;
@@ -54,14 +55,15 @@ class CloudFoundryHealthEndpointWebExtensionTests {
 
 	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
 		.withPropertyValues("VCAP_APPLICATION={}")
-		.withConfiguration(AutoConfigurations.of(SecurityAutoConfiguration.class, WebMvcAutoConfiguration.class,
+		.withConfiguration(
-				JacksonAutoConfiguration.class, DispatcherServletAutoConfiguration.class,
+				AutoConfigurations.of(SecurityAutoConfiguration.class, ServletWebSecurityAutoConfiguration.class,
-				HttpMessageConvertersAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class,
+						WebMvcAutoConfiguration.class, JacksonAutoConfiguration.class,
-				RestTemplateAutoConfiguration.class, ManagementContextAutoConfiguration.class,
+						DispatcherServletAutoConfiguration.class, HttpMessageConvertersAutoConfiguration.class,
-				ServletManagementContextAutoConfiguration.class, EndpointAutoConfiguration.class,
+						PropertyPlaceholderAutoConfiguration.class, RestTemplateAutoConfiguration.class,
-				WebEndpointAutoConfiguration.class, HealthContributorAutoConfiguration.class,
+						ManagementContextAutoConfiguration.class, ServletManagementContextAutoConfiguration.class,
-				HealthContributorRegistryAutoConfiguration.class, HealthEndpointAutoConfiguration.class,
+						EndpointAutoConfiguration.class, WebEndpointAutoConfiguration.class,
-				CloudFoundryActuatorAutoConfiguration.class))
+						HealthContributorAutoConfiguration.class, HealthContributorRegistryAutoConfiguration.class,
+						HealthEndpointAutoConfiguration.class, CloudFoundryActuatorAutoConfiguration.class))
 		.withUserConfiguration(TestHealthIndicator.class);
 
 	@Test

module/spring-boot-cloudfoundry/src/test/java/org/springframework/boot/cloudfoundry/autoconfigure/actuate/endpoint/servlet/CloudFoundryInfoEndpointWebExtensionTests.java

@@ -32,7 +32,8 @@ import org.springframework.boot.health.autoconfigure.actuate.endpoint.HealthEndp
 import org.springframework.boot.http.converter.autoconfigure.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
 import org.springframework.boot.restclient.autoconfigure.RestTemplateAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
 import org.springframework.boot.servlet.autoconfigure.actuate.web.ServletManagementContextAutoConfiguration;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
 import org.springframework.boot.testsupport.classpath.resources.WithResource;
@@ -50,7 +51,8 @@ class CloudFoundryInfoEndpointWebExtensionTests {
 
 	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
 		.withPropertyValues("VCAP_APPLICATION={}")
-		.withConfiguration(AutoConfigurations.of(SecurityAutoConfiguration.class, WebMvcAutoConfiguration.class,
+		.withConfiguration(AutoConfigurations.of(SecurityAutoConfiguration.class,
+				ServletWebSecurityAutoConfiguration.class, WebMvcAutoConfiguration.class,
 				JacksonAutoConfiguration.class, DispatcherServletAutoConfiguration.class,
 				HttpMessageConvertersAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class,
 				RestTemplateAutoConfiguration.class, ManagementContextAutoConfiguration.class,

module/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfiguration.java

@@ -59,7 +59,8 @@ import org.springframework.util.Assert;
  * @author Madhura Bhave
  * @since 1.3.0
  */
-@AutoConfiguration(afterName = "org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration")
+@AutoConfiguration(
+		afterName = "org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration")
 @ConditionalOnEnabledDevTools
 @ConditionalOnProperty("spring.devtools.remote.secret")
 @ConditionalOnClass({ Filter.class, ServerHttpRequest.class, ServerProperties.class })

module/spring-boot-devtools/src/main/java/org/springframework/boot/devtools/autoconfigure/RemoteDevtoolsSecurityConfiguration.java

@@ -17,7 +17,7 @@
 package org.springframework.boot.devtools.autoconfigure;
 
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
+import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterProperties;
 import org.springframework.boot.web.server.autoconfigure.ServerProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -46,7 +46,7 @@ class RemoteDevtoolsSecurityConfiguration {
 	}
 
 	@Bean
-	@Order(SecurityProperties.BASIC_AUTH_ORDER - 1)
+	@Order(SecurityFilterProperties.BASIC_AUTH_ORDER - 1)
 	SecurityFilterChain devtoolsSecurityFilterChain(HttpSecurity http) {
 		http.securityMatcher(PathPatternRequestMatcher.withDefaults().matcher(this.url));
 		http.authorizeHttpRequests((requests) -> requests.anyRequest().anonymous());

module/spring-boot-devtools/src/test/java/org/springframework/boot/devtools/autoconfigure/RemoteDevToolsAutoConfigurationTests.java

@@ -32,7 +32,8 @@ import org.springframework.boot.devtools.remote.server.DispatcherFilter;
 import org.springframework.boot.devtools.restart.MockRestarter;
 import org.springframework.boot.devtools.restart.server.HttpRestartServer;
 import org.springframework.boot.devtools.restart.server.SourceDirectoryUrlFilter;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
 import org.springframework.boot.test.util.TestPropertyValues;
 import org.springframework.boot.web.context.servlet.AnnotationConfigServletWebApplicationContext;
 import org.springframework.context.annotation.Bean;
@@ -236,8 +237,8 @@ class RemoteDevToolsAutoConfigurationTests {
 	private AnnotationConfigServletWebApplicationContext loadContext(String... properties) {
 		AnnotationConfigServletWebApplicationContext context = new AnnotationConfigServletWebApplicationContext();
 		context.setServletContext(new MockServletContext());
-		context.register(Config.class, SecurityAutoConfiguration.class, RemoteDevToolsAutoConfiguration.class,
+		context.register(Config.class, SecurityAutoConfiguration.class, ServletWebSecurityAutoConfiguration.class,
-				PropertyPlaceholderAutoConfiguration.class);
+				RemoteDevToolsAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class);
 		TestPropertyValues.of(properties).applyTo(context);
 		context.refresh();
 		return context;

module/spring-boot-graphql/src/test/java/org/springframework/boot/graphql/autoconfigure/security/GraphQlWebFluxSecurityAutoConfigurationTests.java

@@ -30,7 +30,7 @@ import org.springframework.boot.graphql.autoconfigure.GraphQlTestDataFetchers;
 import org.springframework.boot.graphql.autoconfigure.reactive.GraphQlWebFluxAutoConfiguration;
 import org.springframework.boot.http.codec.autoconfigure.CodecsAutoConfiguration;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
 import org.springframework.boot.testsupport.classpath.resources.WithResource;
 import org.springframework.boot.webflux.autoconfigure.HttpHandlerAutoConfiguration;
@@ -87,7 +87,7 @@ class GraphQlWebFluxSecurityAutoConfigurationTests {
 		.withConfiguration(AutoConfigurations.of(HttpHandlerAutoConfiguration.class, WebFluxAutoConfiguration.class,
 				CodecsAutoConfiguration.class, JacksonAutoConfiguration.class, GraphQlAutoConfiguration.class,
 				GraphQlWebFluxAutoConfiguration.class, GraphQlWebFluxSecurityAutoConfiguration.class,
-				ReactiveSecurityAutoConfiguration.class))
+				ReactiveWebSecurityAutoConfiguration.class))
 		.withUserConfiguration(DataFetchersConfiguration.class, SecurityConfig.class)
 		.withPropertyValues("spring.main.web-application-type=reactive");
 

module/spring-boot-graphql/src/test/java/org/springframework/boot/graphql/autoconfigure/security/GraphQlWebMvcSecurityAutoConfigurationTests.java

@@ -28,7 +28,7 @@ import org.springframework.boot.graphql.autoconfigure.GraphQlTestDataFetchers;
 import org.springframework.boot.graphql.autoconfigure.servlet.GraphQlWebMvcAutoConfiguration;
 import org.springframework.boot.http.converter.autoconfigure.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
 import org.springframework.boot.testsupport.classpath.resources.WithResource;
 import org.springframework.boot.webmvc.autoconfigure.DispatcherServletAutoConfiguration;

module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerAutoConfiguration.java

@@ -21,9 +21,9 @@ import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
-import org.springframework.boot.security.autoconfigure.actuate.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.UserDetailsServiceAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 

module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerJwtAutoConfiguration.java

@@ -35,7 +35,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
-import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.UserDetailsServiceAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Role;

module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerWebSecurityConfiguration.java

@@ -19,8 +19,8 @@ package org.springframework.boot.security.oauth2.server.authorization.autoconfig
 import java.util.Set;
 
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
-import org.springframework.boot.security.autoconfigure.ConditionalOnDefaultWebSecurity;
+import org.springframework.boot.security.autoconfigure.web.servlet.ConditionalOnDefaultWebSecurity;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
+import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
@@ -62,7 +62,7 @@ class OAuth2AuthorizationServerWebSecurityConfiguration {
 	}
 
 	@Bean
-	@Order(SecurityProperties.BASIC_AUTH_ORDER)
+	@Order(SecurityFilterProperties.BASIC_AUTH_ORDER)
 	SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) {
 		http.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated()).formLogin(withDefaults());
 		return http.build();

module/spring-boot-security-oauth2-authorization-server/src/test/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerAutoConfigurationTests.java

@@ -19,9 +19,10 @@ package org.springframework.boot.security.oauth2.server.authorization.autoconfig
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
-import org.springframework.boot.security.autoconfigure.actuate.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.UserDetailsServiceAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
 import org.springframework.boot.testsupport.classpath.ClassPathExclusions;
@@ -53,7 +54,7 @@ class OAuth2AuthorizationServerAutoConfigurationTests {
 	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
 		.withConfiguration(AutoConfigurations.of(OAuth2AuthorizationServerAutoConfiguration.class,
 				OAuth2AuthorizationServerJwtAutoConfiguration.class, SecurityAutoConfiguration.class,
-				UserDetailsServiceAutoConfiguration.class));
+				ServletWebSecurityAutoConfiguration.class, UserDetailsServiceAutoConfiguration.class));
 
 	@Test
 	void autoConfigurationConditionalOnClassOauth2Authorization() {

module/spring-boot-security-oauth2-client/src/main/java/org/springframework/boot/security/oauth2/client/autoconfigure/reactive/ReactiveOAuth2ClientWebSecurityAutoConfiguration.java

@@ -24,8 +24,8 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
-import org.springframework.boot.security.autoconfigure.actuate.reactive.ReactiveManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.actuate.web.reactive.ReactiveManagementWebSecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
@@ -45,7 +45,7 @@ import static org.springframework.security.config.Customizer.withDefaults;
  * @since 4.0.0
  */
 @AutoConfiguration(
-		before = { ReactiveManagementWebSecurityAutoConfiguration.class, ReactiveSecurityAutoConfiguration.class },
+		before = { ReactiveManagementWebSecurityAutoConfiguration.class, ReactiveWebSecurityAutoConfiguration.class },
 		after = ReactiveOAuth2ClientAutoConfiguration.class)
 @ConditionalOnClass({ Flux.class, EnableWebFluxSecurity.class, ServerOAuth2AuthorizedClientRepository.class })
 @ConditionalOnBean(ReactiveOAuth2AuthorizedClientService.class)

module/spring-boot-security-oauth2-client/src/main/java/org/springframework/boot/security/oauth2/client/autoconfigure/servlet/OAuth2ClientWebSecurityAutoConfiguration.java

@@ -22,9 +22,9 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
-import org.springframework.boot.security.autoconfigure.ConditionalOnDefaultWebSecurity;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.actuate.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.ManagementWebSecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.security.oauth2.client.autoconfigure.OAuth2ClientAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;

module/spring-boot-security-oauth2-client/src/test/java/org/springframework/boot/security/oauth2/client/autoconfigure/reactive/ReactiveOAuth2ClientAutoConfigurationTests.java

@@ -22,7 +22,7 @@ import org.junit.jupiter.api.Test;
 import reactor.core.publisher.Flux;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
@@ -46,7 +46,7 @@ class ReactiveOAuth2ClientAutoConfigurationTests {
 
 	private final ApplicationContextRunner contextRunner = new ApplicationContextRunner()
 		.withConfiguration(AutoConfigurations.of(ReactiveOAuth2ClientAutoConfiguration.class,
-				ReactiveSecurityAutoConfiguration.class));
+				ReactiveWebSecurityAutoConfiguration.class));
 
 	@Test
 	void autoConfigurationShouldBackOffForServletEnvironments() {

module/spring-boot-security-oauth2-client/src/test/java/org/springframework/boot/security/oauth2/client/autoconfigure/reactive/ReactiveOAuth2ClientWebSecurityAutoConfigurationTests.java

@@ -22,7 +22,7 @@ import java.util.List;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.assertj.AssertableReactiveWebApplicationContext;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
@@ -60,7 +60,7 @@ class ReactiveOAuth2ClientWebSecurityAutoConfigurationTests {
 
 	private final ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner()
 		.withConfiguration(AutoConfigurations.of(ReactiveOAuth2ClientWebSecurityAutoConfiguration.class,
-				ReactiveSecurityAutoConfiguration.class));
+				ReactiveWebSecurityAutoConfiguration.class));
 
 	@Test
 	void autoConfigurationShouldBackOffForServletEnvironments() {
@@ -107,7 +107,7 @@ class ReactiveOAuth2ClientWebSecurityAutoConfigurationTests {
 	void securityWebFilterChainBeanConditionalOnWebApplication() {
 		new ApplicationContextRunner()
 			.withConfiguration(AutoConfigurations.of(ReactiveOAuth2ClientWebSecurityAutoConfiguration.class,
-					ReactiveSecurityAutoConfiguration.class))
+					ReactiveWebSecurityAutoConfiguration.class))
 			.withUserConfiguration(ReactiveOAuth2AuthorizedClientRepositoryConfiguration.class)
 			.run((context) -> assertThat(context).doesNotHaveBean(SecurityWebFilterChain.class));
 	}

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerAutoConfiguration.java

@@ -22,9 +22,9 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.boot.security.autoconfigure.actuate.reactive.ReactiveManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.ReactiveUserDetailsServiceAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.actuate.web.reactive.ReactiveManagementWebSecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
@@ -37,7 +37,7 @@ import org.springframework.security.config.annotation.web.reactive.EnableWebFlux
  * @since 4.0.0
  */
 @AutoConfiguration(before = { ReactiveManagementWebSecurityAutoConfiguration.class,
-		ReactiveSecurityAutoConfiguration.class, ReactiveUserDetailsServiceAutoConfiguration.class })
+		ReactiveWebSecurityAutoConfiguration.class, ReactiveUserDetailsServiceAutoConfiguration.class })
 @EnableConfigurationProperties(OAuth2ResourceServerProperties.class)
 @ConditionalOnClass({ EnableWebFluxSecurity.class })
 @ConditionalOnWebApplication(type = Type.REACTIVE)

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/servlet/OAuth2ResourceServerAutoConfiguration.java

@@ -22,9 +22,9 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.boot.security.autoconfigure.actuate.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.UserDetailsServiceAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/servlet/OAuth2ResourceServerJwtConfiguration.java

@@ -33,7 +33,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.PropertyMapper;
-import org.springframework.boot.security.autoconfigure.ConditionalOnDefaultWebSecurity;
+import org.springframework.boot.security.autoconfigure.web.servlet.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.ConditionalOnIssuerLocationJwtDecoder;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.ConditionalOnPublicKeyJwtDecoder;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties;

module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/servlet/OAuth2ResourceServerOpaqueTokenConfiguration.java

@@ -19,7 +19,7 @@ package org.springframework.boot.security.oauth2.server.resource.autoconfigure.s
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
-import org.springframework.boot.security.autoconfigure.ConditionalOnDefaultWebSecurity;
+import org.springframework.boot.security.autoconfigure.web.servlet.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;

module/spring-boot-security-oauth2-resource-server/src/test/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java

@@ -49,8 +49,8 @@ import reactor.core.publisher.Mono;
 import tools.jackson.databind.ObjectMapper;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
-import org.springframework.boot.security.autoconfigure.actuate.reactive.ReactiveManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.actuate.web.reactive.ReactiveManagementWebSecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.JwtConverterCustomizationsArgumentsProvider;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableReactiveWebApplicationContext;
@@ -718,7 +718,7 @@ class ReactiveOAuth2ResourceServerAutoConfigurationTests {
 	void causesReactiveManagementWebSecurityAutoConfigurationToBackOff() {
 		ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner()
 			.withConfiguration(AutoConfigurations.of(ReactiveManagementWebSecurityAutoConfiguration.class,
-					ReactiveOAuth2ResourceServerAutoConfiguration.class, ReactiveSecurityAutoConfiguration.class,
+					ReactiveOAuth2ResourceServerAutoConfiguration.class, ReactiveWebSecurityAutoConfiguration.class,
 					WebFluxAutoConfiguration.class));
 		contextRunner
 			.run((context) -> assertThat(context).hasSingleBean(ReactiveManagementWebSecurityAutoConfiguration.class));

module/spring-boot-security-oauth2-resource-server/src/test/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/servlet/OAuth2ResourceServerAutoConfigurationTests.java

@@ -47,8 +47,9 @@ import org.mockito.InOrder;
 import tools.jackson.databind.ObjectMapper;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
-import org.springframework.boot.security.autoconfigure.actuate.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.JwtConverterCustomizationsArgumentsProvider;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
@@ -737,7 +738,7 @@ class OAuth2ResourceServerAutoConfigurationTests {
 		WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
 			.withConfiguration(AutoConfigurations.of(ManagementWebSecurityAutoConfiguration.class,
 					OAuth2ResourceServerAutoConfiguration.class, SecurityAutoConfiguration.class,
-					WebMvcAutoConfiguration.class));
+					ServletWebSecurityAutoConfiguration.class, WebMvcAutoConfiguration.class));
 		contextRunner.run((context) -> assertThat(context).hasSingleBean(ManagementWebSecurityAutoConfiguration.class));
 		contextRunner.withPropertyValues("spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://authserver")
 			.run((context) -> assertThat(context).doesNotHaveBean(ManagementWebSecurityAutoConfiguration.class)

module/spring-boot-security-saml2/src/main/java/org/springframework/boot/security/saml2/autoconfigure/Saml2LoginConfiguration.java

@@ -17,7 +17,7 @@
 package org.springframework.boot.security.saml2.autoconfigure;
 
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
-import org.springframework.boot.security.autoconfigure.ConditionalOnDefaultWebSecurity;
+import org.springframework.boot.security.autoconfigure.web.servlet.ConditionalOnDefaultWebSecurity;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

module/spring-boot-security-saml2/src/main/java/org/springframework/boot/security/saml2/autoconfigure/Saml2RelyingPartyAutoConfiguration.java

@@ -22,8 +22,8 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.boot.security.autoconfigure.actuate.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.context.annotation.Import;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 

module/spring-boot-security-saml2/src/test/java/org/springframework/boot/security/saml2/autoconfigure/Saml2RelyingPartyAutoConfigurationTests.java

@@ -27,8 +27,9 @@ import org.jspecify.annotations.Nullable;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
-import org.springframework.boot.security.autoconfigure.actuate.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.ManagementWebSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
@@ -69,8 +70,9 @@ class Saml2RelyingPartyAutoConfigurationTests {
 
 	private static final String MANAGEMENT_SECURITY_FILTER_CHAIN_BEAN = "managementSecurityFilterChain";
 
-	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner().withConfiguration(
+	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
-			AutoConfigurations.of(Saml2RelyingPartyAutoConfiguration.class, SecurityAutoConfiguration.class));
+		.withConfiguration(AutoConfigurations.of(Saml2RelyingPartyAutoConfiguration.class,
+				SecurityAutoConfiguration.class, ServletWebSecurityAutoConfiguration.class));
 
 	@Test
 	void autoConfigurationShouldBeConditionalOnRelyingPartyRegistrationRepositoryClass() {
@@ -444,7 +446,7 @@ class Saml2RelyingPartyAutoConfigurationTests {
 	}
 
 	@EnableWebSecurity
-	static class WebSecurityEnablerConfiguration {
+	static class EnableWebSecurityConfiguration {
 
 	}
 

module/spring-boot-security-test/src/main/resources/META-INF/spring/org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc.imports

@@ -1,4 +1,5 @@
-org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration
+org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration
-org.springframework.boot.security.autoconfigure.servlet.SecurityFilterAutoConfiguration
+org.springframework.boot.security.autoconfigure.UserDetailsServiceAutoConfiguration
-org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration
+org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterAutoConfiguration
+org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration
 org.springframework.boot.security.test.autoconfigure.webmvc.SecurityMockMvcAutoConfiguration

module/spring-boot-security-test/src/main/resources/META-INF/spring/org.springframework.boot.webtestclient.AutoConfigureWebTestClient.imports

@@ -1,3 +1,4 @@
-org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration
+org.springframework.boot.security.autoconfigure.ReactiveUserDetailsServiceAutoConfiguration
-org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration
+org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration
+org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration
 org.springframework.boot.security.test.autoconfigure.webflux.SecurityWebTestClientAutoConfiguration

module/spring-boot-security-test/src/test/java/org/springframework/boot/security/test/autoconfigure/webmvc/AfterSecurityFilter.java

@@ -26,7 +26,7 @@ import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
+import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterProperties;
 import org.springframework.core.Ordered;
 
 /**
@@ -38,7 +38,7 @@ public class AfterSecurityFilter implements Filter, Ordered {
 
 	@Override
 	public int getOrder() {
-		return SecurityProperties.DEFAULT_FILTER_ORDER + 1;
+		return SecurityFilterProperties.DEFAULT_FILTER_ORDER + 1;
 	}
 
 	@Override

module/spring-boot-security-test/src/test/java/org/springframework/boot/security/test/autoconfigure/webmvc/ExampleFilter.java

@@ -26,7 +26,7 @@ import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletResponse;
 
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
+import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterProperties;
 import org.springframework.boot.webmvc.test.autoconfigure.WebMvcTest;
 import org.springframework.core.Ordered;
 import org.springframework.stereotype.Component;
@@ -56,7 +56,7 @@ public class ExampleFilter implements Filter, Ordered {
 
 	@Override
 	public int getOrder() {
-		return SecurityProperties.DEFAULT_FILTER_ORDER - 1;
+		return SecurityFilterProperties.DEFAULT_FILTER_ORDER - 1;
 	}
 
 }

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/MissingAlternativeUserDetailsManagerOrUserPropertiesConfigured.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.security.autoconfigure;
+
+import org.springframework.boot.autoconfigure.condition.AnyNestedCondition;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Condition;
+
+/**
+ * {@link Condition} used to check if security username or passowrd properties have been
+ * set or there are no alternatives to the user details manager available.
+ *
+ * @author Andy Wilkinson
+ */
+final class MissingAlternativeUserDetailsManagerOrUserPropertiesConfigured extends AnyNestedCondition {
+
+	MissingAlternativeUserDetailsManagerOrUserPropertiesConfigured() {
+		super(ConfigurationPhase.PARSE_CONFIGURATION);
+	}
+
+	@ConditionalOnMissingClass({ "org.springframework.security.oauth2.client.registration.ClientRegistrationRepository",
+			"org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector",
+			"org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository" })
+	static final class MissingAlternative {
+
+	}
+
+	@ConditionalOnProperty("spring.security.user.name")
+	static final class NameConfigured {
+
+	}
+
+	@ConditionalOnProperty("spring.security.user.password")
+	static final class PasswordConfigured {
+
+	}
+
+}

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/ReactiveUserDetailsServiceAutoConfiguration.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.reactive;
+package org.springframework.boot.security.autoconfigure;
 
 import java.util.List;
 import java.util.regex.Pattern;
@@ -25,19 +25,16 @@ import org.jspecify.annotations.Nullable;
 
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.AnyNestedCondition;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
-import org.springframework.context.annotation.Configuration;
 import org.springframework.messaging.rsocket.annotation.support.RSocketMessageHandler;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
 import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
@@ -49,24 +46,29 @@ import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.util.StringUtils;
 
 /**
- * Default user {@link Configuration @Configuration} for a reactive web application.
+ * {@link EnableAutoConfiguration Auto-configuration} for a Spring Security in-memory
- * Configures a {@link ReactiveUserDetailsService} with a default user and generated
+ * {@link ReactiveUserDetailsService}. Adds a {@link MapReactiveUserDetailsService} with a
- * password. This backs-off completely if there is a bean of type
+ * default user and generated password.
+ * <p>
+ * This configuration backs-off completely if there is a bean of type
  * {@link ReactiveUserDetailsService}, {@link ReactiveAuthenticationManager}, or
  * {@link ReactiveAuthenticationManagerResolver}.
+ * <p>
+ * Note that the reactive application detection mechanism is limited to web applications
+ * only. If you're writing a non-web application you will need to configure reactive
+ * security yourself.
  *
  * @author Madhura Bhave
  * @since 4.0.0
  */
-@AutoConfiguration(before = ReactiveSecurityAutoConfiguration.class,
+@AutoConfiguration(afterName = "org.springframework.boot.rsocket.autoconfigure.RSocketMessagingAutoConfiguration")
-		afterName = "org.springframework.boot.rsocket.autoconfigure.RSocketMessagingAutoConfiguration")
 @ConditionalOnClass({ ReactiveAuthenticationManager.class })
 @ConditionalOnMissingBean(
 		value = { ReactiveAuthenticationManager.class, ReactiveUserDetailsService.class,
 				ReactiveAuthenticationManagerResolver.class },
 		type = { "org.springframework.security.oauth2.jwt.ReactiveJwtDecoder" })
 @Conditional({ ReactiveUserDetailsServiceAutoConfiguration.RSocketEnabledOrReactiveWebApplication.class,
-		ReactiveUserDetailsServiceAutoConfiguration.MissingAlternativeOrUserPropertiesConfigured.class })
+		MissingAlternativeUserDetailsManagerOrUserPropertiesConfigured.class })
 @EnableConfigurationProperties(SecurityProperties.class)
 public final class ReactiveUserDetailsServiceAutoConfiguration {
 
@@ -118,29 +120,4 @@ public final class ReactiveUserDetailsServiceAutoConfiguration {
 
 	}
 
-	static final class MissingAlternativeOrUserPropertiesConfigured extends AnyNestedCondition {
-
-		MissingAlternativeOrUserPropertiesConfigured() {
-			super(ConfigurationPhase.PARSE_CONFIGURATION);
-		}
-
-		@ConditionalOnMissingClass({
-				"org.springframework.security.oauth2.client.registration.ClientRegistrationRepository",
-				"org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector" })
-		static final class MissingAlternative {
-
-		}
-
-		@ConditionalOnProperty("spring.security.user.name")
-		static final class NameConfigured {
-
-		}
-
-		@ConditionalOnProperty("spring.security.user.password")
-		static final class PasswordConfigured {
-
-		}
-
-	}
-
 }

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/SecurityAutoConfiguration.java

@@ -14,20 +14,19 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure;
 
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.boot.security.autoconfigure.SecurityDataConfiguration;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
+import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} for Spring Security.
@@ -37,10 +36,9 @@ import org.springframework.security.authentication.DefaultAuthenticationEventPub
  * @author Madhura Bhave
  * @since 4.0.0
  */
-@AutoConfiguration(before = UserDetailsServiceAutoConfiguration.class)
+@AutoConfiguration
 @ConditionalOnClass(DefaultAuthenticationEventPublisher.class)
 @EnableConfigurationProperties(SecurityProperties.class)
-@Import({ SpringBootWebSecurityConfiguration.class, SecurityDataConfiguration.class })
 public final class SecurityAutoConfiguration {
 
 	@Bean
@@ -49,4 +47,16 @@ public final class SecurityAutoConfiguration {
 		return new DefaultAuthenticationEventPublisher(publisher);
 	}
 
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnClass(SecurityEvaluationContextExtension.class)
+	static class SecurityDataConfiguration {
+
+		@Bean
+		@ConditionalOnMissingBean
+		SecurityEvaluationContextExtension securityEvaluationContextExtension() {
+			return new SecurityEvaluationContextExtension();
+		}
+
+	}
+
 }

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/SecurityDataConfiguration.java

@@ -1,41 +0,0 @@
-/*
- * Copyright 2012-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.boot.security.autoconfigure;
-
-import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;
-
-/**
- * Automatically adds Spring Security's integration with Spring Data.
- *
- * @author Rob Winch
- * @since 4.0.0
- */
-@Configuration(proxyBeanMethods = false)
-@ConditionalOnClass(SecurityEvaluationContextExtension.class)
-public class SecurityDataConfiguration {
-
-	@Bean
-	@ConditionalOnMissingBean
-	public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
-		return new SecurityEvaluationContextExtension();
-	}
-
-}

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/SecurityProperties.java

@@ -17,15 +17,10 @@
 package org.springframework.boot.security.autoconfigure;
 
 import java.util.ArrayList;
-import java.util.EnumSet;
 import java.util.List;
-import java.util.Set;
 import java.util.UUID;
 
 import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.boot.servlet.filter.OrderedFilter;
-import org.springframework.boot.web.servlet.DispatcherType;
-import org.springframework.core.Ordered;
 import org.springframework.util.StringUtils;
 
 /**
@@ -39,63 +34,12 @@ import org.springframework.util.StringUtils;
 @ConfigurationProperties("spring.security")
 public class SecurityProperties {
 
-	/**
-	 * Order applied to the {@code SecurityFilterChain} that is used to configure basic
-	 * authentication for application endpoints. Create your own
-	 * {@code SecurityFilterChain} if you want to add your own authentication for all or
-	 * some of those endpoints.
-	 */
-	public static final int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5;
-
-	/**
-	 * Default order of Spring Security's Filter in the servlet container (i.e. amongst
-	 * other filters registered with the container). There is no connection between this
-	 * and the {@code @Order} on a {@code SecurityFilterChain}.
-	 */
-	public static final int DEFAULT_FILTER_ORDER = OrderedFilter.REQUEST_WRAPPER_FILTER_MAX_ORDER - 100;
-
-	private final Filter filter = new Filter();
-
 	private final User user = new User();
 
 	public User getUser() {
 		return this.user;
 	}
 
-	public Filter getFilter() {
-		return this.filter;
-	}
-
-	public static class Filter {
-
-		/**
-		 * Security filter chain order for Servlet-based web applications.
-		 */
-		private int order = DEFAULT_FILTER_ORDER;
-
-		/**
-		 * Security filter chain dispatcher types for Servlet-based web applications.
-		 */
-		private Set<DispatcherType> dispatcherTypes = EnumSet.allOf(DispatcherType.class);
-
-		public int getOrder() {
-			return this.order;
-		}
-
-		public void setOrder(int order) {
-			this.order = order;
-		}
-
-		public Set<DispatcherType> getDispatcherTypes() {
-			return this.dispatcherTypes;
-		}
-
-		public void setDispatcherTypes(Set<DispatcherType> dispatcherTypes) {
-			this.dispatcherTypes = dispatcherTypes;
-		}
-
-	}
-
 	public static class User {
 
 		/**

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/UserDetailsServiceAutoConfiguration.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure;
 
 import java.util.List;
 import java.util.regex.Pattern;
@@ -26,22 +26,15 @@ import org.jspecify.annotations.Nullable;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
-import org.springframework.boot.autoconfigure.condition.AnyNestedCondition;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
-import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration.MissingAlternativeOrUserPropertiesConfigured;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationManagerResolver;
 import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.config.ObjectPostProcessor;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;
@@ -61,8 +54,7 @@ import org.springframework.util.StringUtils;
  */
 @AutoConfiguration
 @ConditionalOnClass(AuthenticationManager.class)
-@Conditional(MissingAlternativeOrUserPropertiesConfigured.class)
+@Conditional(MissingAlternativeUserDetailsManagerOrUserPropertiesConfigured.class)
-@ConditionalOnBean(ObjectPostProcessor.class)
 @ConditionalOnMissingBean(value = { AuthenticationManager.class, AuthenticationProvider.class, UserDetailsService.class,
 		AuthenticationManagerResolver.class }, type = "org.springframework.security.oauth2.jwt.JwtDecoder")
 @ConditionalOnWebApplication(type = Type.SERVLET)
@@ -100,30 +92,4 @@ public final class UserDetailsServiceAutoConfiguration {
 		return NOOP_PASSWORD_PREFIX + password;
 	}
 
-	static final class MissingAlternativeOrUserPropertiesConfigured extends AnyNestedCondition {
-
-		MissingAlternativeOrUserPropertiesConfigured() {
-			super(ConfigurationPhase.PARSE_CONFIGURATION);
-		}
-
-		@ConditionalOnMissingClass({
-				"org.springframework.security.oauth2.client.registration.ClientRegistrationRepository",
-				"org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector",
-				"org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository" })
-		static final class MissingAlternative {
-
-		}
-
-		@ConditionalOnProperty("spring.security.user.name")
-		static final class NameConfigured {
-
-		}
-
-		@ConditionalOnProperty("spring.security.user.password")
-		static final class PasswordConfigured {
-
-		}
-
-	}
-
 }

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/reactive/EndpointRequest.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.reactive;
+package org.springframework.boot.security.autoconfigure.actuate.web.reactive;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -37,7 +37,7 @@ import org.springframework.boot.actuate.endpoint.EndpointId;
 import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
-import org.springframework.boot.security.reactive.ApplicationContextServerWebExchangeMatcher;
+import org.springframework.boot.security.web.reactive.ApplicationContextServerWebExchangeMatcher;
 import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.annotation.MergedAnnotation;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/reactive/ReactiveManagementWebSecurityAutoConfiguration.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.reactive;
+package org.springframework.boot.security.autoconfigure.actuate.web.reactive;
 
 import reactor.core.publisher.Mono;
 
@@ -27,8 +27,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.health.actuate.endpoint.HealthEndpoint;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
@@ -52,8 +51,7 @@ import static org.springframework.security.config.Customizer.withDefaults;
  * @author Madhura Bhave
  * @since 4.0.0
  */
-@AutoConfiguration(before = ReactiveSecurityAutoConfiguration.class,
+@AutoConfiguration(before = ReactiveWebSecurityAutoConfiguration.class,
-		after = ReactiveUserDetailsServiceAutoConfiguration.class,
 		afterName = { "org.springframework.boot.health.autoconfigure.actuate.endpoint.HealthEndpointAutoConfiguration",
 				"org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration",
 				"org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration" })

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/reactive/package-info.java

@@ -18,6 +18,6 @@
  * Auto-configuration for actuator security using WebFlux.
  */
 @NullMarked
-package org.springframework.boot.security.autoconfigure.actuate.reactive;
+package org.springframework.boot.security.autoconfigure.actuate.web.reactive;
 
 import org.jspecify.annotations.NullMarked;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/EndpointRequest.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -37,7 +37,7 @@ import org.springframework.boot.actuate.endpoint.EndpointId;
 import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
-import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher;
+import org.springframework.boot.security.web.servlet.ApplicationContextRequestMatcher;
 import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.context.ApplicationContext;
 import org.springframework.core.annotation.MergedAnnotation;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/ManagementWebSecurityAutoConfiguration.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
@@ -24,9 +24,9 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.health.actuate.endpoint.HealthEndpoint;
-import org.springframework.boot.security.autoconfigure.ConditionalOnDefaultWebSecurity;
+import org.springframework.boot.security.autoconfigure.web.servlet.ConditionalOnDefaultWebSecurity;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
+import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterProperties;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.core.annotation.Order;
 import org.springframework.core.env.Environment;
@@ -48,7 +48,7 @@ import static org.springframework.security.config.Customizer.withDefaults;
  * @author Hatef Palizgar
  * @since 4.0.0
  */
-@AutoConfiguration(before = SecurityAutoConfiguration.class,
+@AutoConfiguration(before = ServletWebSecurityAutoConfiguration.class,
 		afterName = { "org.springframework.boot.health.autoconfigure.actuate.endpoint.HealthEndpointAutoConfiguration",
 				"org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration" })
 @ConditionalOnWebApplication(type = Type.SERVLET)
@@ -57,7 +57,7 @@ import static org.springframework.security.config.Customizer.withDefaults;
 public final class ManagementWebSecurityAutoConfiguration {
 
 	@Bean
-	@Order(SecurityProperties.BASIC_AUTH_ORDER)
+	@Order(SecurityFilterProperties.BASIC_AUTH_ORDER)
 	SecurityFilterChain managementSecurityFilterChain(Environment environment, HttpSecurity http) {
 		if (ClassUtils.isPresent("org.springframework.boot.health.actuate.endpoint.HealthEndpoint",
 				getClass().getClassLoader())) {

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/PathPatternRequestMatcherProvider.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import java.util.function.Function;
 

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/RequestMatcherProvider.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import org.jspecify.annotations.Nullable;
 

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/SecurityRequestMatchersManagementContextConfiguration.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import org.springframework.boot.actuate.autoconfigure.web.ManagementContextConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/package-info.java

@@ -18,6 +18,6 @@
  * Auto-configuration for actuator security using Spring MVC.
  */
 @NullMarked
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import org.jspecify.annotations.NullMarked;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/StaticResourceLocation.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure;
+package org.springframework.boot.security.autoconfigure.web;
 
 import java.util.Arrays;
 import java.util.stream.Stream;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/package-info.java

@@ -0,0 +1,23 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Support classes for Spring Security web Auto-configuration.
+ */
+@NullMarked
+package org.springframework.boot.security.autoconfigure.web;
+
+import org.jspecify.annotations.NullMarked;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/reactive/PathRequest.java

@@ -14,9 +14,9 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.reactive;
+package org.springframework.boot.security.autoconfigure.web.reactive;
 
-import org.springframework.boot.security.autoconfigure.StaticResourceLocation;
+import org.springframework.boot.security.autoconfigure.web.StaticResourceLocation;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 
 /**

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/reactive/ReactiveWebSecurityAutoConfiguration.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.reactive;
+package org.springframework.boot.security.autoconfigure.web.reactive;
 
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
@@ -26,6 +26,7 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.security.autoconfigure.ReactiveUserDetailsServiceAutoConfiguration;
 import org.springframework.boot.security.autoconfigure.SecurityProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -48,10 +49,11 @@ import org.springframework.web.reactive.config.WebFluxConfigurer;
  * @author Madhura Bhave
  * @since 4.0.0
  */
-@AutoConfiguration
+@AutoConfiguration(after = ReactiveUserDetailsServiceAutoConfiguration.class,
+		afterName = "org.springframework.boot.webflux.autoconfigure.WebFluxAutoConfiguration")
 @EnableConfigurationProperties(SecurityProperties.class)
 @ConditionalOnClass({ Flux.class, EnableWebFluxSecurity.class, WebFilterChainProxy.class, WebFluxConfigurer.class })
-public final class ReactiveSecurityAutoConfiguration {
+public final class ReactiveWebSecurityAutoConfiguration {
 
 	@ConditionalOnWebApplication(type = Type.REACTIVE)
 	@Configuration(proxyBeanMethods = false)

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/reactive/StaticResourceRequest.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.reactive;
+package org.springframework.boot.security.autoconfigure.web.reactive;
 
 import java.util.EnumSet;
 import java.util.LinkedHashSet;
@@ -23,7 +23,7 @@ import java.util.stream.Stream;
 
 import reactor.core.publisher.Mono;
 
-import org.springframework.boot.security.autoconfigure.StaticResourceLocation;
+import org.springframework.boot.security.autoconfigure.web.StaticResourceLocation;
 import org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/reactive/package-info.java

@@ -18,6 +18,6 @@
  * Auto-configuration for reactive Spring Security.
  */
 @NullMarked
-package org.springframework.boot.security.autoconfigure.reactive;
+package org.springframework.boot.security.autoconfigure.web.reactive;
 
 import org.jspecify.annotations.NullMarked;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/servlet/ConditionalOnDefaultWebSecurity.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import java.lang.annotation.Documented;
 import java.lang.annotation.ElementType;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/servlet/DefaultWebSecurityCondition.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import org.springframework.boot.autoconfigure.condition.AllNestedConditions;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/servlet/PathRequest.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import java.util.function.Supplier;
 
@@ -22,8 +22,8 @@ import jakarta.servlet.http.HttpServletRequest;
 import org.jspecify.annotations.Nullable;
 
 import org.springframework.boot.h2console.autoconfigure.H2ConsoleProperties;
-import org.springframework.boot.security.autoconfigure.StaticResourceLocation;
+import org.springframework.boot.security.autoconfigure.web.StaticResourceLocation;
-import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher;
+import org.springframework.boot.security.web.servlet.ApplicationContextRequestMatcher;
 import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/servlet/SecurityFilterAutoConfiguration.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import java.util.EnumSet;
 import java.util.stream.Collectors;
@@ -29,7 +29,6 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
 import org.springframework.boot.web.servlet.DelegatingFilterProxyRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration;
@@ -38,7 +37,7 @@ import org.springframework.security.web.context.AbstractSecurityWebApplicationIn
 
 /**
  * {@link EnableAutoConfiguration Auto-configuration} for Spring Security's Filter.
- * Configured separately from {@link SpringBootWebSecurityConfiguration} to ensure that
+ * Configured separately from {@link ServletWebSecurityAutoConfiguration} to ensure that
  * the filter's order is still configured when a user-provided
  * {@link WebSecurityConfiguration} exists.
  *
@@ -47,9 +46,9 @@ import org.springframework.security.web.context.AbstractSecurityWebApplicationIn
  * @author Andy Wilkinson
  * @since 4.0.0
  */
-@AutoConfiguration(after = SecurityAutoConfiguration.class)
+@AutoConfiguration(after = ServletWebSecurityAutoConfiguration.class)
 @ConditionalOnWebApplication(type = Type.SERVLET)
-@EnableConfigurationProperties(SecurityProperties.class)
+@EnableConfigurationProperties(SecurityFilterProperties.class)
 @ConditionalOnClass({ AbstractSecurityWebApplicationInitializer.class, SessionCreationPolicy.class })
 public final class SecurityFilterAutoConfiguration {
 
@@ -57,20 +56,20 @@ public final class SecurityFilterAutoConfiguration {
 
 	@Bean
 	@ConditionalOnBean(name = DEFAULT_FILTER_NAME)
-	DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(SecurityProperties securityProperties) {
+	DelegatingFilterProxyRegistrationBean securityFilterChainRegistration(
+			SecurityFilterProperties securityFilterProperties) {
 		DelegatingFilterProxyRegistrationBean registration = new DelegatingFilterProxyRegistrationBean(
 				DEFAULT_FILTER_NAME);
-		registration.setOrder(securityProperties.getFilter().getOrder());
+		registration.setOrder(securityFilterProperties.getOrder());
-		registration.setDispatcherTypes(getDispatcherTypes(securityProperties));
+		registration.setDispatcherTypes(getDispatcherTypes(securityFilterProperties));
 		return registration;
 	}
 
-	private @Nullable EnumSet<DispatcherType> getDispatcherTypes(SecurityProperties securityProperties) {
+	private @Nullable EnumSet<DispatcherType> getDispatcherTypes(SecurityFilterProperties securityFilterProperties) {
-		if (securityProperties.getFilter().getDispatcherTypes() == null) {
+		if (securityFilterProperties.getDispatcherTypes() == null) {
 			return null;
 		}
-		return securityProperties.getFilter()
+		return securityFilterProperties.getDispatcherTypes()
-			.getDispatcherTypes()
 			.stream()
 			.map((type) -> DispatcherType.valueOf(type.name()))
 			.collect(Collectors.toCollection(() -> EnumSet.noneOf(DispatcherType.class)));

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/servlet/SecurityFilterProperties.java

@@ -0,0 +1,77 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.security.autoconfigure.web.servlet;
+
+import java.util.EnumSet;
+import java.util.Set;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.servlet.filter.OrderedFilter;
+import org.springframework.boot.web.servlet.DispatcherType;
+import org.springframework.core.Ordered;
+
+/**
+ * Configuration properties for Spring Security Filter.
+ *
+ * @author Phillip Webb
+ * @since 4.0.0
+ */
+@ConfigurationProperties("spring.security.filter")
+public class SecurityFilterProperties {
+
+	/**
+	 * Order applied to the {@code SecurityFilterChain} that is used to configure basic
+	 * authentication for application endpoints. Create your own
+	 * {@code SecurityFilterChain} if you want to add your own authentication for all or
+	 * some of those endpoints.
+	 */
+	public static final int BASIC_AUTH_ORDER = Ordered.LOWEST_PRECEDENCE - 5;
+
+	/**
+	 * Default order of Spring Security's Filter in the servlet container (i.e. amongst
+	 * other filters registered with the container). There is no connection between this
+	 * and the {@code @Order} on a {@code SecurityFilterChain}.
+	 */
+	public static final int DEFAULT_FILTER_ORDER = OrderedFilter.REQUEST_WRAPPER_FILTER_MAX_ORDER - 100;
+
+	/**
+	 * Security filter chain order for Servlet-based web applications.
+	 */
+	private int order = DEFAULT_FILTER_ORDER;
+
+	/**
+	 * Security filter chain dispatcher types for Servlet-based web applications.
+	 */
+	private Set<DispatcherType> dispatcherTypes = EnumSet.allOf(DispatcherType.class);
+
+	public int getOrder() {
+		return this.order;
+	}
+
+	public void setOrder(int order) {
+		this.order = order;
+	}
+
+	public Set<DispatcherType> getDispatcherTypes() {
+		return this.dispatcherTypes;
+	}
+
+	public void setDispatcherTypes(Set<DispatcherType> dispatcherTypes) {
+		this.dispatcherTypes = dispatcherTypes;
+	}
+
+}

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/servlet/ServletWebSecurityAutoConfiguration.java

@@ -14,15 +14,16 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
-import org.springframework.boot.security.autoconfigure.ConditionalOnDefaultWebSecurity;
+import org.springframework.boot.security.autoconfigure.UserDetailsServiceAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
 import org.springframework.boot.webmvc.autoconfigure.DispatcherServletPath;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -36,13 +37,18 @@ import org.springframework.security.web.servlet.util.matcher.PathPatternRequestM
 import static org.springframework.security.config.Customizer.withDefaults;
 
 /**
- * {@link Configuration @Configuration} class securing servlet applications.
+ * {@link EnableAutoConfiguration Auto-configuration} for Spring Security.
  *
+ * @author Dave Syer
+ * @author Andy Wilkinson
  * @author Madhura Bhave
+ * @since 4.0.0
  */
-@Configuration(proxyBeanMethods = false)
+@AutoConfiguration(after = UserDetailsServiceAutoConfiguration.class,
+		afterName = "org.springframework.boot.webmvc.autoconfigure.WebMvcAutoConfiguration")
+@ConditionalOnClass(EnableWebSecurity.class)
 @ConditionalOnWebApplication(type = Type.SERVLET)
-class SpringBootWebSecurityConfiguration {
+public final class ServletWebSecurityAutoConfiguration {
 
 	@Configuration(proxyBeanMethods = false)
 	@ConditionalOnBean(DispatcherServletPath.class)
@@ -72,7 +78,7 @@ class SpringBootWebSecurityConfiguration {
 	static class SecurityFilterChainConfiguration {
 
 		@Bean
-		@Order(SecurityProperties.BASIC_AUTH_ORDER)
+		@Order(SecurityFilterProperties.BASIC_AUTH_ORDER)
 		SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) {
 			http.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated());
 			http.formLogin(withDefaults());
@@ -95,7 +101,7 @@ class SpringBootWebSecurityConfiguration {
 	@ConditionalOnMissingBean(name = BeanIds.SPRING_SECURITY_FILTER_CHAIN)
 	@ConditionalOnClass(EnableWebSecurity.class)
 	@EnableWebSecurity
-	static class WebSecurityEnablerConfiguration {
+	static class EnableWebSecurityConfiguration {
 
 	}
 

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/servlet/StaticResourceRequest.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import java.util.EnumSet;
 import java.util.LinkedHashSet;
@@ -25,8 +25,8 @@ import java.util.stream.Stream;
 import jakarta.servlet.http.HttpServletRequest;
 import org.jspecify.annotations.Nullable;
 
-import org.springframework.boot.security.autoconfigure.StaticResourceLocation;
+import org.springframework.boot.security.autoconfigure.web.StaticResourceLocation;
-import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher;
+import org.springframework.boot.security.web.servlet.ApplicationContextRequestMatcher;
 import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.boot.webmvc.autoconfigure.DispatcherServletPath;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;

module/spring-boot-security/src/main/java/org/springframework/boot/security/autoconfigure/web/servlet/package-info.java

@@ -18,6 +18,6 @@
  * Auto-configuration for Servlet-based Spring Security.
  */
 @NullMarked
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import org.jspecify.annotations.NullMarked;

module/spring-boot-security/src/main/java/org/springframework/boot/security/web/reactive/ApplicationContextServerWebExchangeMatcher.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.reactive;
+package org.springframework.boot.security.web.reactive;
 
 import java.util.function.Supplier;
 

module/spring-boot-security/src/main/java/org/springframework/boot/security/web/reactive/package-info.java

@@ -18,6 +18,6 @@
  * Classes and utilities for reactive Spring Security.
  */
 @NullMarked
-package org.springframework.boot.security.reactive;
+package org.springframework.boot.security.web.reactive;
 
 import org.jspecify.annotations.NullMarked;

module/spring-boot-security/src/main/java/org/springframework/boot/security/web/servlet/ApplicationContextRequestMatcher.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.servlet;
+package org.springframework.boot.security.web.servlet;
 
 import java.util.function.Supplier;
 

module/spring-boot-security/src/main/java/org/springframework/boot/security/web/servlet/package-info.java

@@ -18,6 +18,6 @@
  * Classes and utilities for Servlet-based Spring Security.
  */
 @NullMarked
-package org.springframework.boot.security.servlet;
+package org.springframework.boot.security.web.servlet;
 
 import org.jspecify.annotations.NullMarked;

module/spring-boot-security/src/main/resources/META-INF/spring/org.springframework.boot.actuate.autoconfigure.web.ManagementContextConfiguration.imports

@@ -1 +1 @@
-org.springframework.boot.security.autoconfigure.actuate.servlet.SecurityRequestMatchersManagementContextConfiguration
+org.springframework.boot.security.autoconfigure.actuate.web.servlet.SecurityRequestMatchersManagementContextConfiguration

module/spring-boot-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports

@@ -1,8 +1,9 @@
-org.springframework.boot.security.autoconfigure.actuate.reactive.ReactiveManagementWebSecurityAutoConfiguration
+org.springframework.boot.security.autoconfigure.ReactiveUserDetailsServiceAutoConfiguration
-org.springframework.boot.security.autoconfigure.actuate.servlet.ManagementWebSecurityAutoConfiguration
+org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration
-org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration
+org.springframework.boot.security.autoconfigure.UserDetailsServiceAutoConfiguration
-org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration
+org.springframework.boot.security.autoconfigure.actuate.web.reactive.ReactiveManagementWebSecurityAutoConfiguration
+org.springframework.boot.security.autoconfigure.actuate.web.servlet.ManagementWebSecurityAutoConfiguration
 org.springframework.boot.security.autoconfigure.rsocket.RSocketSecurityAutoConfiguration
-org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration
+org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration
-org.springframework.boot.security.autoconfigure.servlet.SecurityFilterAutoConfiguration
+org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterAutoConfiguration
-org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration
+org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/ReactiveUserDetailsServiceAutoConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.reactive;
+package org.springframework.boot.security.autoconfigure;
 
 import java.time.Duration;
 
@@ -25,7 +25,7 @@ import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.rsocket.autoconfigure.RSocketMessagingAutoConfiguration;
 import org.springframework.boot.rsocket.autoconfigure.RSocketStrategiesAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
@@ -42,7 +42,9 @@ import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
@@ -60,9 +62,7 @@ class ReactiveUserDetailsServiceAutoConfigurationTests {
 
 	@Test
 	void configuresADefaultUser() {
-		this.contextRunner
+		this.contextRunner.withClassLoader(filterAlternativeUserDetailsManager())
-			.withClassLoader(
-					new FilteredClassLoader(ClientRegistrationRepository.class, ReactiveOpaqueTokenIntrospector.class))
 			.withUserConfiguration(TestSecurityConfiguration.class)
 			.run((context) -> {
 				ReactiveUserDetailsService userDetailsService = context.getBean(ReactiveUserDetailsService.class);
@@ -72,9 +72,7 @@ class ReactiveUserDetailsServiceAutoConfigurationTests {
 
 	@Test
 	void userDetailsServiceWhenRSocketConfigured() {
-		new ApplicationContextRunner()
+		new ApplicationContextRunner().withClassLoader(filterAlternativeUserDetailsManager())
-			.withClassLoader(
-					new FilteredClassLoader(ClientRegistrationRepository.class, ReactiveOpaqueTokenIntrospector.class))
 			.withConfiguration(AutoConfigurations.of(ReactiveUserDetailsServiceAutoConfiguration.class,
 					RSocketMessagingAutoConfiguration.class, RSocketStrategiesAutoConfiguration.class))
 			.withUserConfiguration(TestRSocketSecurityConfiguration.class)
@@ -97,7 +95,7 @@ class ReactiveUserDetailsServiceAutoConfigurationTests {
 	@Test
 	void doesNotConfigureDefaultUserIfAuthenticationManagerAvailable() {
 		this.contextRunner.withUserConfiguration(AuthenticationManagerConfig.class, TestSecurityConfiguration.class)
-			.withConfiguration(AutoConfigurations.of(ReactiveSecurityAutoConfiguration.class))
+			.withConfiguration(AutoConfigurations.of(ReactiveWebSecurityAutoConfiguration.class))
 			.run((context) -> assertThat(context).getBean(ReactiveUserDetailsService.class).isNull());
 	}
 
@@ -127,9 +125,7 @@ class ReactiveUserDetailsServiceAutoConfigurationTests {
 
 	@Test
 	void userDetailsServiceWhenPasswordEncoderAbsentAndDefaultPassword() {
-		this.contextRunner
+		this.contextRunner.withClassLoader(filterAlternativeUserDetailsManager())
-			.withClassLoader(
-					new FilteredClassLoader(ClientRegistrationRepository.class, ReactiveOpaqueTokenIntrospector.class))
 			.withUserConfiguration(TestSecurityConfiguration.class)
 			.run(((context) -> {
 				MapReactiveUserDetailsService userDetailsService = context.getBean(MapReactiveUserDetailsService.class);
@@ -171,6 +167,11 @@ class ReactiveUserDetailsServiceAutoConfigurationTests {
 			}));
 	}
 
+	private FilteredClassLoader filterAlternativeUserDetailsManager() {
+		return new FilteredClassLoader(ClientRegistrationRepository.class, ReactiveOpaqueTokenIntrospector.class,
+				OpaqueTokenIntrospector.class, RelyingPartyRegistrationRepository.class);
+	}
+
 	@Configuration(proxyBeanMethods = false)
 	@EnableWebFluxSecurity
 	@EnableConfigurationProperties(SecurityProperties.class)

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/SecurityAutoConfigurationTests.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.security.autoconfigure;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.autoconfigure.TestAutoConfigurationPackage;
+import org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoConfiguration;
+import org.springframework.boot.hibernate.autoconfigure.HibernateJpaAutoConfiguration;
+import org.springframework.boot.jdbc.autoconfigure.DataSourceAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.jpa.City;
+import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.orm.jpa.JpaTransactionManager;
+import org.springframework.security.authentication.AuthenticationEventPublisher;
+import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link SecurityAutoConfiguration}.
+ *
+ * @author Dave Syer
+ * @author Rob Winch
+ * @author Andy Wilkinson
+ * @author Madhura Bhave
+ */
+class SecurityAutoConfigurationTests {
+
+	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner().withConfiguration(
+			AutoConfigurations.of(SecurityAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class));
+
+	@Test
+	void defaultAuthenticationEventPublisherRegistered() {
+		this.contextRunner.run((context) -> assertThat(context.getBean(AuthenticationEventPublisher.class))
+			.isInstanceOf(DefaultAuthenticationEventPublisher.class));
+	}
+
+	@Test
+	void defaultAuthenticationEventPublisherIsConditionalOnMissingBean() {
+		this.contextRunner.withUserConfiguration(AuthenticationEventPublisherConfiguration.class)
+			.run((context) -> assertThat(context.getBean(AuthenticationEventPublisher.class))
+				.isInstanceOf(AuthenticationEventPublisherConfiguration.TestAuthenticationEventPublisher.class));
+	}
+
+	@Test
+	void testJpaCoexistsHappily() {
+		this.contextRunner.withPropertyValues("spring.datasource.url:jdbc:hsqldb:mem:testsecdb")
+			.withUserConfiguration(EntityConfiguration.class)
+			.withConfiguration(
+					AutoConfigurations.of(HibernateJpaAutoConfiguration.class, DataSourceAutoConfiguration.class))
+			.run((context) -> assertThat(context.getBean(JpaTransactionManager.class)).isNotNull());
+		// This can fail if security @Conditionals force early instantiation of the
+		// HibernateJpaAutoConfiguration (e.g. the EntityManagerFactory is not found)
+	}
+
+	@Test
+	void testSecurityEvaluationContextExtensionSupport() {
+		this.contextRunner
+			.run((context) -> assertThat(context).getBean(SecurityEvaluationContextExtension.class).isNotNull());
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	@TestAutoConfigurationPackage(City.class)
+	static class EntityConfiguration {
+
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	static class AuthenticationEventPublisherConfiguration {
+
+		@Bean
+		AuthenticationEventPublisher authenticationEventPublisher() {
+			return new TestAuthenticationEventPublisher();
+		}
+
+		class TestAuthenticationEventPublisher implements AuthenticationEventPublisher {
+
+			@Override
+			public void publishAuthenticationSuccess(Authentication authentication) {
+
+			}
+
+			@Override
+			public void publishAuthenticationFailure(AuthenticationException exception, Authentication authentication) {
+
+			}
+
+		}
+
+	}
+
+}

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/SecurityPropertiesTests.java

@@ -33,7 +33,7 @@ import static org.assertj.core.api.Assertions.assertThat;
  */
 class SecurityPropertiesTests {
 
-	private final SecurityProperties security = new SecurityProperties();
+	private final SecurityProperties properties = new SecurityProperties();
 
 	private Binder binder;
 
@@ -44,21 +44,9 @@ class SecurityPropertiesTests {
 		this.binder = new Binder(this.source);
 	}
 
-	@Test
-	void validateDefaultFilterOrderMatchesMetadata() {
-		assertThat(this.security.getFilter().getOrder()).isEqualTo(-100);
-	}
-
-	@Test
-	void filterOrderShouldBind() {
-		this.source.put("spring.security.filter.order", "55");
-		this.binder.bind("spring.security", Bindable.ofInstance(this.security));
-		assertThat(this.security.getFilter().getOrder()).isEqualTo(55);
-	}
-
 	@Test
 	void userWhenNotConfiguredShouldUseDefaultNameAndGeneratedPassword() {
-		SecurityProperties.User user = this.security.getUser();
+		SecurityProperties.User user = this.properties.getUser();
 		assertThat(user.getName()).isEqualTo("user");
 		assertThat(user.getPassword()).isNotNull();
 		assertThat(user.isPasswordGenerated()).isTrue();
@@ -70,8 +58,8 @@ class SecurityPropertiesTests {
 		this.source.put("spring.security.user.name", "foo");
 		this.source.put("spring.security.user.password", "password");
 		this.source.put("spring.security.user.roles", "ADMIN,USER");
-		this.binder.bind("spring.security", Bindable.ofInstance(this.security));
+		this.binder.bind("spring.security", Bindable.ofInstance(this.properties));
-		SecurityProperties.User user = this.security.getUser();
+		SecurityProperties.User user = this.properties.getUser();
 		assertThat(user.getName()).isEqualTo("foo");
 		assertThat(user.getPassword()).isEqualTo("password");
 		assertThat(user.isPasswordGenerated()).isFalse();
@@ -81,8 +69,8 @@ class SecurityPropertiesTests {
 	@Test
 	void passwordAutogeneratedIfEmpty() {
 		this.source.put("spring.security.user.password", "");
-		this.binder.bind("spring.security", Bindable.ofInstance(this.security));
+		this.binder.bind("spring.security", Bindable.ofInstance(this.properties));
-		assertThat(this.security.getUser().isPasswordGenerated()).isTrue();
+		assertThat(this.properties.getUser().isPasswordGenerated()).isTrue();
 	}
 
 }

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/UserDetailsServiceAutoConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure;
 
 import java.util.Collections;
 import java.util.function.Function;
@@ -33,8 +33,6 @@ import org.springframework.boot.autoconfigure.condition.ConditionEvaluationRepor
 import org.springframework.boot.autoconfigure.condition.ConditionEvaluationReport.ConditionAndOutcomes;
 import org.springframework.boot.autoconfigure.condition.ConditionOutcome;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
-import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration.MissingAlternativeOrUserPropertiesConfigured;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.runner.AbstractApplicationContextRunner;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
@@ -243,11 +241,12 @@ class UserDetailsServiceAutoConfigurationTests {
 			.get(UserDetailsServiceAutoConfiguration.class.getName());
 		assertThat(conditionAndOutcomes).isNotNull();
 		for (ConditionAndOutcome conditionAndOutcome : conditionAndOutcomes) {
-			if (conditionAndOutcome.getCondition() instanceof MissingAlternativeOrUserPropertiesConfigured) {
+			if (conditionAndOutcome
+				.getCondition() instanceof MissingAlternativeUserDetailsManagerOrUserPropertiesConfigured) {
 				return conditionAndOutcome.getOutcome();
 			}
 		}
-		fail("No outcome for MissingAlternativeOrUserPropertiesConfigured found");
+		fail("No outcome for MissingAlternativeUserDetailsManagerOrUserPropertiesConfigured found");
 		throw new AssertionError("Should not be reached");
 	}
 

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/actuate/web/reactive/EndpointRequestIntegrationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.reactive;
+package org.springframework.boot.security.autoconfigure.actuate.web.reactive;
 
 import java.time.Duration;
 import java.util.Base64;
@@ -33,8 +33,8 @@ import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.http.converter.autoconfigure.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.ReactiveUserDetailsServiceAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveUserDetailsServiceAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.assertj.AssertableReactiveWebApplicationContext;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
 import org.springframework.boot.tomcat.reactive.TomcatReactiveWebServerFactory;
@@ -110,7 +110,7 @@ class EndpointRequestIntegrationTests {
 		return createContextRunner().withPropertyValues("management.endpoints.web.exposure.include=*")
 			.withUserConfiguration(BaseConfiguration.class, SecurityConfiguration.class)
 			.withConfiguration(
-					AutoConfigurations.of(JacksonAutoConfiguration.class, ReactiveSecurityAutoConfiguration.class,
+					AutoConfigurations.of(JacksonAutoConfiguration.class, ReactiveWebSecurityAutoConfiguration.class,
 							ReactiveUserDetailsServiceAutoConfiguration.class, EndpointAutoConfiguration.class,
 							WebEndpointAutoConfiguration.class, ManagementContextAutoConfiguration.class));
 

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/actuate/web/reactive/EndpointRequestTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.reactive;
+package org.springframework.boot.security.autoconfigure.actuate.web.reactive;
 
 import java.time.Duration;
 import java.util.ArrayList;

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/actuate/web/reactive/ReactiveManagementWebSecurityAutoConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.reactive;
+package org.springframework.boot.security.autoconfigure.actuate.web.reactive;
 
 import java.net.URI;
 import java.time.Duration;
@@ -33,7 +33,7 @@ import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.health.autoconfigure.actuate.endpoint.HealthEndpointAutoConfiguration;
 import org.springframework.boot.health.autoconfigure.contributor.HealthContributorAutoConfiguration;
 import org.springframework.boot.health.autoconfigure.registry.HealthContributorRegistryAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.reactive.ReactiveWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.assertj.AssertableReactiveWebApplicationContext;
 import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
 import org.springframework.boot.webflux.autoconfigure.WebFluxAutoConfiguration;
@@ -72,7 +72,7 @@ class ReactiveManagementWebSecurityAutoConfigurationTests {
 				HealthContributorRegistryAutoConfiguration.class, HealthEndpointAutoConfiguration.class,
 				InfoEndpointAutoConfiguration.class, WebFluxAutoConfiguration.class,
 				EnvironmentEndpointAutoConfiguration.class, EndpointAutoConfiguration.class,
-				WebEndpointAutoConfiguration.class, ReactiveSecurityAutoConfiguration.class,
+				WebEndpointAutoConfiguration.class, ReactiveWebSecurityAutoConfiguration.class,
 				ReactiveManagementWebSecurityAutoConfiguration.class));
 
 	@Test

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/AbstractEndpointRequestIntegrationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import java.io.IOException;
 import java.time.Duration;
@@ -36,7 +36,8 @@ import org.springframework.boot.actuate.endpoint.annotation.ReadOperation;
 import org.springframework.boot.actuate.endpoint.annotation.WriteOperation;
 import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
 import org.springframework.boot.web.server.WebServer;
@@ -120,8 +121,8 @@ abstract class AbstractEndpointRequestIntegrationTests {
 		return createContextRunner().withPropertyValues("management.endpoints.web.exposure.include=*")
 			.withUserConfiguration(BaseConfiguration.class, SecurityConfiguration.class)
 			.withConfiguration(AutoConfigurations.of(JacksonAutoConfiguration.class, SecurityAutoConfiguration.class,
-					EndpointAutoConfiguration.class, WebEndpointAutoConfiguration.class,
+					ServletWebSecurityAutoConfiguration.class, EndpointAutoConfiguration.class,
-					ManagementContextAutoConfiguration.class));
+					WebEndpointAutoConfiguration.class, ManagementContextAutoConfiguration.class));
 
 	}
 

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/EndpointRequestTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -33,8 +33,8 @@ import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMappedEndpoints;
 import org.springframework.boot.actuate.endpoint.web.WebServerNamespace;
-import org.springframework.boot.security.autoconfigure.actuate.servlet.EndpointRequest.AdditionalPathsEndpointRequestMatcher;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.EndpointRequest.AdditionalPathsEndpointRequestMatcher;
-import org.springframework.boot.security.autoconfigure.actuate.servlet.EndpointRequest.EndpointRequestMatcher;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.EndpointRequest.EndpointRequestMatcher;
 import org.springframework.boot.web.server.WebServer;
 import org.springframework.boot.web.server.context.WebServerApplicationContext;
 import org.springframework.http.HttpMethod;

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/ManagementWebSecurityAutoConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import java.io.IOException;
 import java.util.List;
@@ -31,8 +31,9 @@ import org.springframework.boot.autoconfigure.AutoConfigurations;
 import org.springframework.boot.health.autoconfigure.actuate.endpoint.HealthEndpointAutoConfiguration;
 import org.springframework.boot.health.autoconfigure.contributor.HealthContributorAutoConfiguration;
 import org.springframework.boot.health.autoconfigure.registry.HealthContributorRegistryAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.SecurityProperties;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterProperties;
+import org.springframework.boot.security.autoconfigure.web.servlet.ServletWebSecurityAutoConfiguration;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.assertj.AssertableWebApplicationContext;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
@@ -74,7 +75,8 @@ class ManagementWebSecurityAutoConfigurationTests {
 				HealthContributorRegistryAutoConfiguration.class, HealthEndpointAutoConfiguration.class,
 				InfoEndpointAutoConfiguration.class, EnvironmentEndpointAutoConfiguration.class,
 				EndpointAutoConfiguration.class, WebMvcAutoConfiguration.class, WebEndpointAutoConfiguration.class,
-				SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class));
+				SecurityAutoConfiguration.class, ServletWebSecurityAutoConfiguration.class,
+				ManagementWebSecurityAutoConfiguration.class));
 
 	private static Supplier<ConfigurableWebApplicationContext> contextSupplier() {
 		return WebApplicationContextRunner.withMockServletContext(MockWebServerApplicationContext::new);
@@ -222,7 +224,7 @@ class ManagementWebSecurityAutoConfigurationTests {
 	static class TestRemoteDevToolsSecurityFilterChainConfig extends TestSecurityFilterChainConfig {
 
 		@Bean
-		@Order(SecurityProperties.BASIC_AUTH_ORDER - 1)
+		@Order(SecurityFilterProperties.BASIC_AUTH_ORDER - 1)
 		SecurityFilterChain testRemoteDevToolsSecurityFilterChain(HttpSecurity http) {
 			http.securityMatcher(PathPatternRequestMatcher.withDefaults().matcher("/**"));
 			http.authorizeHttpRequests((requests) -> requests.anyRequest().anonymous());

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/MvcEndpointRequestIntegrationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import org.junit.jupiter.api.Test;
 

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/actuate/web/servlet/SecurityRequestMatchersManagementContextConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.actuate.servlet;
+package org.springframework.boot.security.autoconfigure.actuate.web.servlet;
 
 import org.junit.jupiter.api.Test;
 

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/jpa/JpaUserDetailsTests.java

@@ -22,7 +22,7 @@ import org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoCon
 import org.springframework.boot.hibernate.autoconfigure.HibernateJpaAutoConfiguration;
 import org.springframework.boot.jdbc.autoconfigure.DataSourceAutoConfiguration;
 import org.springframework.boot.jdbc.autoconfigure.EmbeddedDataSourceConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootContextLoader;
 import org.springframework.context.annotation.Import;
 import org.springframework.test.annotation.DirtiesContext;

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/reactive/PathRequestTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.reactive;
+package org.springframework.boot.security.autoconfigure.web.reactive;
 
 import org.junit.jupiter.api.Test;
 

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/reactive/ReactiveSecurityAutoConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.reactive;
+package org.springframework.boot.security.autoconfigure.web.reactive;
 
 import org.junit.jupiter.api.Test;
 import reactor.core.publisher.Flux;
@@ -36,14 +36,14 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
 
 /**
- * Tests for {@link ReactiveSecurityAutoConfiguration}.
+ * Tests for {@link ReactiveWebSecurityAutoConfiguration}.
  *
  * @author Madhura Bhave
  */
 class ReactiveSecurityAutoConfigurationTests {
 
 	private final ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner()
-		.withConfiguration(AutoConfigurations.of(ReactiveSecurityAutoConfiguration.class));
+		.withConfiguration(AutoConfigurations.of(ReactiveWebSecurityAutoConfiguration.class));
 
 	@Test
 	void backsOffWhenWebFilterChainProxyBeanPresent() {
@@ -53,8 +53,9 @@ class ReactiveSecurityAutoConfigurationTests {
 
 	@Test
 	void autoConfiguresDenyAllReactiveAuthenticationManagerWhenNoAlternativeIsAvailable() {
-		this.contextRunner.run((context) -> assertThat(context).hasSingleBean(ReactiveSecurityAutoConfiguration.class)
+		this.contextRunner
-			.hasBean("denyAllAuthenticationManager"));
+			.run((context) -> assertThat(context).hasSingleBean(ReactiveWebSecurityAutoConfiguration.class)
+				.hasBean("denyAllAuthenticationManager"));
 	}
 
 	@Test

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/reactive/StaticResourceRequestTests.java

@@ -14,14 +14,14 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.reactive;
+package org.springframework.boot.security.autoconfigure.web.reactive;
 
 import java.time.Duration;
 
 import org.assertj.core.api.AssertDelegateTarget;
 import org.junit.jupiter.api.Test;
 
-import org.springframework.boot.security.autoconfigure.StaticResourceLocation;
+import org.springframework.boot.security.autoconfigure.web.StaticResourceLocation;
 import org.springframework.boot.web.server.autoconfigure.ServerProperties;
 import org.springframework.context.support.StaticApplicationContext;
 import org.springframework.http.server.reactive.ServerHttpRequest;

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/servlet/PathRequestTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import jakarta.servlet.http.HttpServletRequest;
 import org.assertj.core.api.AssertDelegateTarget;

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/servlet/SecurityFilterAutoConfigurationEarlyInitializationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -33,6 +33,8 @@ import org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoCon
 import org.springframework.boot.http.converter.autoconfigure.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
 import org.springframework.boot.resttestclient.TestRestTemplate;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.UserDetailsServiceAutoConfiguration;
 import org.springframework.boot.test.system.CapturedOutput;
 import org.springframework.boot.test.system.OutputCaptureExtension;
 import org.springframework.boot.test.util.TestPropertyValues;
@@ -89,8 +91,9 @@ class SecurityFilterAutoConfigurationEarlyInitializationTests {
 	@Import({ DeserializerBean.class, JacksonModuleBean.class, ExampleController.class, ConverterBean.class })
 	@ImportAutoConfiguration({ WebMvcAutoConfiguration.class, JacksonAutoConfiguration.class,
 			HttpMessageConvertersAutoConfiguration.class, DispatcherServletAutoConfiguration.class,
-			SecurityAutoConfiguration.class, UserDetailsServiceAutoConfiguration.class,
+			SecurityAutoConfiguration.class, ServletWebSecurityAutoConfiguration.class,
-			SecurityFilterAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class })
+			UserDetailsServiceAutoConfiguration.class, SecurityFilterAutoConfiguration.class,
+			PropertyPlaceholderAutoConfiguration.class })
 	static class Config {
 
 		@Bean

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/servlet/SecurityFilterAutoConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import org.assertj.core.api.Assertions;
 import org.junit.jupiter.api.Test;
@@ -23,10 +23,11 @@ import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
 import org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoConfiguration;
 import org.springframework.boot.http.converter.autoconfigure.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.jackson.autoconfigure.JacksonAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityFilterAutoConfigurationEarlyInitializationTests.ConverterBean;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityFilterAutoConfigurationEarlyInitializationTests.DeserializerBean;
+import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterAutoConfigurationEarlyInitializationTests.ConverterBean;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityFilterAutoConfigurationEarlyInitializationTests.ExampleController;
+import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterAutoConfigurationEarlyInitializationTests.DeserializerBean;
-import org.springframework.boot.security.autoconfigure.servlet.SecurityFilterAutoConfigurationEarlyInitializationTests.JacksonModuleBean;
+import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterAutoConfigurationEarlyInitializationTests.ExampleController;
+import org.springframework.boot.security.autoconfigure.web.servlet.SecurityFilterAutoConfigurationEarlyInitializationTests.JacksonModuleBean;
 import org.springframework.boot.servlet.filter.OrderedRequestContextFilter;
 import org.springframework.boot.web.context.servlet.AnnotationConfigServletWebApplicationContext;
 import org.springframework.boot.web.servlet.DelegatingFilterProxyRegistrationBean;
@@ -58,7 +59,7 @@ class SecurityFilterAutoConfigurationTests {
 	void filterIsOrderedShortlyAfterRequestContextFilter() {
 		try (AnnotationConfigServletWebApplicationContext context = new AnnotationConfigServletWebApplicationContext()) {
 			context.setServletContext(new MockServletContext());
-			context.register(SecurityAutoConfiguration.class);
+			context.register(ServletWebSecurityAutoConfiguration.class, SecurityAutoConfiguration.class);
 			context.register(Config.class);
 			context.refresh();
 			int securityFilterOrder = context.getBean(DelegatingFilterProxyRegistrationBean.class).getOrder();

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/servlet/SecurityFilterPropertiesTests.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.security.autoconfigure.web.servlet;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.boot.context.properties.bind.Bindable;
+import org.springframework.boot.context.properties.bind.Binder;
+import org.springframework.boot.context.properties.source.MapConfigurationPropertySource;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link SecurityFilterProperties}.
+ *
+ * @author Dave Syer
+ * @author Madhura Bhave
+ */
+class SecurityFilterPropertiesTests {
+
+	private final SecurityFilterProperties properties = new SecurityFilterProperties();
+
+	private Binder binder;
+
+	private final MapConfigurationPropertySource source = new MapConfigurationPropertySource();
+
+	@BeforeEach
+	void setUp() {
+		this.binder = new Binder(this.source);
+	}
+
+	@Test
+	void validateDefaultFilterOrderMatchesMetadata() {
+		assertThat(this.properties.getOrder()).isEqualTo(-100);
+	}
+
+	@Test
+	void filterOrderShouldBind() {
+		this.source.put("spring.security.filter.order", "55");
+		this.binder.bind("spring.security.filter", Bindable.ofInstance(this.properties));
+		assertThat(this.properties.getOrder()).isEqualTo(55);
+	}
+
+}

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/servlet/ServletWebSecurityAutoConfigurationTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
@@ -29,15 +29,12 @@ import org.jspecify.annotations.Nullable;
 import org.junit.jupiter.api.Test;
 
 import org.springframework.boot.autoconfigure.AutoConfigurations;
-import org.springframework.boot.autoconfigure.TestAutoConfigurationPackage;
 import org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoConfiguration;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.boot.context.properties.ConfigurationPropertiesBinding;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.convert.ApplicationConversionService;
-import org.springframework.boot.hibernate.autoconfigure.HibernateJpaAutoConfiguration;
+import org.springframework.boot.security.autoconfigure.SecurityAutoConfiguration;
-import org.springframework.boot.jdbc.autoconfigure.DataSourceAutoConfiguration;
-import org.springframework.boot.security.autoconfigure.jpa.City;
 import org.springframework.boot.servlet.filter.OrderedFilter;
 import org.springframework.boot.test.context.FilteredClassLoader;
 import org.springframework.boot.test.context.runner.WebApplicationContextRunner;
@@ -49,15 +46,9 @@ import org.springframework.context.annotation.AnnotationConfigApplicationContext
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.convert.converter.Converter;
-import org.springframework.orm.jpa.JpaTransactionManager;
-import org.springframework.security.authentication.AuthenticationEventPublisher;
-import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.web.PathPatternRequestMatcherBuilderFactoryBean;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
@@ -65,17 +56,18 @@ import org.springframework.security.web.servlet.util.matcher.PathPatternRequestM
 import static org.assertj.core.api.Assertions.assertThat;
 
 /**
- * Tests for {@link SecurityAutoConfiguration}.
+ * Tests for {@link ServletWebSecurityAutoConfiguration}.
  *
  * @author Dave Syer
  * @author Rob Winch
  * @author Andy Wilkinson
  * @author Madhura Bhave
  */
-class SecurityAutoConfigurationTests {
+class ServletWebSecurityAutoConfigurationTests {
 
-	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner().withConfiguration(
+	private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner()
-			AutoConfigurations.of(SecurityAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class));
+		.withConfiguration(AutoConfigurations.of(SecurityAutoConfiguration.class,
+				ServletWebSecurityAutoConfiguration.class, PropertyPlaceholderAutoConfiguration.class));
 
 	@Test
 	void testWebConfiguration() {
@@ -117,19 +109,6 @@ class SecurityAutoConfigurationTests {
 		}
 	}
 
-	@Test
-	void defaultAuthenticationEventPublisherRegistered() {
-		this.contextRunner.run((context) -> assertThat(context.getBean(AuthenticationEventPublisher.class))
-			.isInstanceOf(DefaultAuthenticationEventPublisher.class));
-	}
-
-	@Test
-	void defaultAuthenticationEventPublisherIsConditionalOnMissingBean() {
-		this.contextRunner.withUserConfiguration(AuthenticationEventPublisherConfiguration.class)
-			.run((context) -> assertThat(context.getBean(AuthenticationEventPublisher.class))
-				.isInstanceOf(AuthenticationEventPublisherConfiguration.TestAuthenticationEventPublisher.class));
-	}
-
 	@Test
 	void testDefaultFilterOrder() {
 		this.contextRunner.withConfiguration(AutoConfigurations.of(SecurityFilterAutoConfiguration.class))
@@ -149,23 +128,6 @@ class SecurityAutoConfigurationTests {
 				.isEqualTo(12345));
 	}
 
-	@Test
-	void testJpaCoexistsHappily() {
-		this.contextRunner.withPropertyValues("spring.datasource.url:jdbc:hsqldb:mem:testsecdb")
-			.withUserConfiguration(EntityConfiguration.class)
-			.withConfiguration(
-					AutoConfigurations.of(HibernateJpaAutoConfiguration.class, DataSourceAutoConfiguration.class))
-			.run((context) -> assertThat(context.getBean(JpaTransactionManager.class)).isNotNull());
-		// This can fail if security @Conditionals force early instantiation of the
-		// HibernateJpaAutoConfiguration (e.g. the EntityManagerFactory is not found)
-	}
-
-	@Test
-	void testSecurityEvaluationContextExtensionSupport() {
-		this.contextRunner
-			.run((context) -> assertThat(context).getBean(SecurityEvaluationContextExtension.class).isNotNull());
-	}
-
 	@Test
 	void defaultFilterDispatcherTypes() {
 		this.contextRunner.withConfiguration(AutoConfigurations.of(SecurityFilterAutoConfiguration.class))
@@ -238,36 +200,6 @@ class SecurityAutoConfigurationTests {
 			});
 	}
 
-	@Configuration(proxyBeanMethods = false)
-	@TestAutoConfigurationPackage(City.class)
-	static class EntityConfiguration {
-
-	}
-
-	@Configuration(proxyBeanMethods = false)
-	static class AuthenticationEventPublisherConfiguration {
-
-		@Bean
-		AuthenticationEventPublisher authenticationEventPublisher() {
-			return new TestAuthenticationEventPublisher();
-		}
-
-		class TestAuthenticationEventPublisher implements AuthenticationEventPublisher {
-
-			@Override
-			public void publishAuthenticationSuccess(Authentication authentication) {
-
-			}
-
-			@Override
-			public void publishAuthenticationFailure(AuthenticationException exception, Authentication authentication) {
-
-			}
-
-		}
-
-	}
-
 	@Configuration(proxyBeanMethods = false)
 	static class TestSecurityFilterChainConfig {
 

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/servlet/StaticResourceRequestTests.java

@@ -14,14 +14,14 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import jakarta.servlet.http.HttpServletRequest;
 import org.assertj.core.api.AssertDelegateTarget;
 import org.jspecify.annotations.Nullable;
 import org.junit.jupiter.api.Test;
 
-import org.springframework.boot.security.autoconfigure.StaticResourceLocation;
+import org.springframework.boot.security.autoconfigure.web.StaticResourceLocation;
 import org.springframework.boot.webmvc.autoconfigure.DispatcherServletPath;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockServletContext;

module/spring-boot-security/src/test/java/org/springframework/boot/security/autoconfigure/web/servlet/TestWebApplicationContext.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.autoconfigure.servlet;
+package org.springframework.boot.security.autoconfigure.web.servlet;
 
 import org.jspecify.annotations.Nullable;
 

module/spring-boot-security/src/test/java/org/springframework/boot/security/web/reactive/ApplicationContextServerWebExchangeMatcherTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.reactive;
+package org.springframework.boot.security.web.reactive;
 
 import java.util.function.Supplier;
 

module/spring-boot-security/src/test/java/org/springframework/boot/security/web/servlet/ApplicationContextRequestMatcherTests.java

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.security.servlet;
+package org.springframework.boot.security.web.servlet;
 
 import java.lang.Thread.UncaughtExceptionHandler;
 import java.util.ArrayList;

smoke-test/spring-boot-smoke-test-actuator-custom-security/src/main/java/smoketest/actuator/customsecurity/SecurityConfiguration.java

@@ -20,8 +20,8 @@ import java.util.ArrayList;
 import java.util.List;
 
 import org.springframework.boot.actuate.web.mappings.MappingsEndpoint;
-import org.springframework.boot.security.autoconfigure.actuate.servlet.EndpointRequest;
+import org.springframework.boot.security.autoconfigure.actuate.web.servlet.EndpointRequest;
-import org.springframework.boot.security.autoconfigure.servlet.PathRequest;
+import org.springframework.boot.security.autoconfigure.web.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;