Spring-boot: Deprecate 'secure' on WebMvcTest and AutoConfigureMockMvc

While I can appreciate the intention to use an existing facility for mocking security, I think there's a legitimate use case for disabling security altogether for testing controllers that don't have any security constraints. It's fairly common to pull in service-layer components to the security configuration, and for controllers that are outside the Spring Security filter chain that results in a lot of unrelated configuration required to simply satisfy dependencies that would otherwise not be required. secure=false is a simple solution; unfortunately I've not found an equivalent solution to disable Spring Security auto-configuration.

Please let me know if I should raise this concern in a more appropriate forum.

When you are testing a controller that should not have any security constraints, do you not want the tests to verify that they have no security constraints? secure=false may have been simple, but it brought with it a risk of buggy security configuration going undetected.

@wilkinsona You make a fair point for simples cases like a site that has a public landing page but everything else requires authentication. You presumably want the public view to flex the isAuthenticatedAnonymously constraint. Thinking about it more conceptually, though, I have controllers that are semantically _outside_ Spring Security and I simply want to disable security altogether. Unfortunately the implementation of SS on top of the servlet spec and filters gets in the way and the filter chain runs whether I want it to or not. If there were a lower-level flag that I could toggle to get this behavior, that would be fine, but I'm not aware of any such capability.

I'm using

@WebAppConfiguration
@Import({MockMvcAutoConfiguration.class})
@EnableConfigurationProperties({ResourceProperties.class, WebMvcProperties.class})

instead of @WebMvcTest to avoid Spring Security filters.