Luke Taylor (Migrated from SEC-1152) said:
An AnonymousProcessingFilter should probably be added to the configuration by default, rather than only with auto-config, with the option of disabling it by using an "enabled" flag on the element:
The AnonymousProcessingFilter has very little impact on most apps, but some users try to use the corresponding IS_AUTHENTICATED attributes without auto-config enabled and don't realise why it doesn't work.
Luke Taylor said:
Remember-me part was already done (SEC-1044). Changing description to apply only to anonymous auth.
I've modified HttpSecurityBeanDefinitionParser and its tests to enable the anonymous filter by default.