diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
index 42bc0ca318f..48d697c3142 100644
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/AuthenticationManagerConfiguration.java
@@ -23,7 +23,6 @@ import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.beans.factory.SmartInitializingSingleton;
import org.springframework.beans.factory.annotation.Autowired;
@@ -52,11 +51,13 @@ import org.springframework.util.ReflectionUtils;
/**
* Configuration for a Spring Security in-memory {@link AuthenticationManager}. Can be
- * disabled by providing a bean of type AuthenticationManager. The value provided by this
- * configuration will become the "global" authentication manager (from Spring Security),
- * or the parent of the global instance. Thus it acts as a fallback when no others are
- * provided, is used by method security if enabled, and as a parent authentication manager
- * for "local" authentication managers in individual filter chains.
+ * disabled by providing a bean of type AuthenticationManager, or by autowiring an
+ * {@link AuthenticationManagerBuilder} into a method in one of your configuration
+ * classes. The value provided by this configuration will become the "global"
+ * authentication manager (from Spring Security), or the parent of the global instance.
+ * Thus it acts as a fallback when no others are provided, is used by method security if
+ * enabled, and as a parent authentication manager for "local" authentication managers in
+ * individual filter chains.
*
* @author Dave Syer
* @author Rob Winch
diff --git a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java
index e24fa6e9f20..fedfa3274a5 100644
--- a/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java
+++ b/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SpringBootWebSecurityConfiguration.java
@@ -36,6 +36,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
@@ -60,8 +61,7 @@ import org.springframework.util.StringUtils;
* externalized application properties (or via an bean definition of that type to set the
* defaults). The user details for authentication are just placeholders
* {@code (username=user, password=password)} but can easily be customized by providing a
- * bean definition of type {@link AuthenticationManager}. Also provides audit logging of
- * authentication events.
+ * an {@link AuthenticationManager}. Also provides audit logging of authentication events.
*
* Some common simple customizations:
*
@@ -69,7 +69,9 @@ import org.springframework.util.StringUtils;
* classpath or {@link EnableAutoConfiguration#exclude() exclude} this configuration.
* - Switch off security temporarily (e.g. for a dev environment): set
* {@code security.basic.enabled: false}
- * - Customize the user details: add an AuthenticationManager bean
+ * - Customize the user details: autowire an {@link AuthenticationManagerBuilder} into a
+ * method in one of your configuration classes or equivalently add a bean of type
+ * AuthenticationManager
* - Add form login for user facing resources: add a
* {@link WebSecurityConfigurerAdapter} and use {@link HttpSecurity#formLogin()}
*
diff --git a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
index e87c9babac9..f101a8b498e 100644
--- a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
+++ b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
@@ -1860,10 +1860,14 @@ properties are externalized via
The default security configuration is implemented in `SecurityAutoConfiguration` and in
the classes imported from there (`SpringBootWebSecurityConfiguration` for web security
and `AuthenticationManagerConfiguration` for authentication configuration which is also
-relevant in non-web applications). To switch off the Boot default configuration
-completely in a web application you can add a bean with `@EnableWebSecurity`. To customize
+relevant in non-web applications). To switch off the default web security configuration
+completely you can add a bean with `@EnableWebSecurity` (this does not disable the
+authentication manager configuration). To customize
it you normally use external properties and beans of type `WebSecurityConfigurerAdapter`
-(e.g. to add form-based login). There are several secure applications in the
+(e.g. to add form-based login). To also switch off the authentication manager configuration
+you can add a bean of type `AuthenticationManager`, or else configure the
+global `AuthenticationManager` by `@Autowiring` an `AuthenticationManagerBuilder` into
+a method in one of your `@Configuration` classes. There are several secure applications in the
{github-code}/spring-boot-samples/[Spring Boot samples] to get you started with common
use cases.