Spring Security DefaultSecurityFilterChain version upgrade to 2.6.* changes log behaviour (and meaning)

Describe the bug The INFO log of the DefaultSecurityFilterChain changed from 'Will secure any request with [WebAsyncIntegrationFilter, etc...]' to 'Will not secure any request' with the same setup in both projects.

To Reproduce Create a spring boot project with dependencies: Spring Boot Web, Spring Boot Security Parent version 2.6.4

Create a security configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        super.configure(auth);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
                .authorizeRequests()
                .anyRequest().authenticated();
    }
}

Start the app. A 'Will not secure any request' should appear in the logs. Repeat the process for version 2.5.5 and 'Will secure any request with [...]' logs should appear.

Expected behavior Did I miss a major change to building the security filter chain? My requests to endpoints still seem to be authenticated in 2.6.4 but the log is very deceiving.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.

Comment From: jksevend

See https://github.com/spring-projects/spring-security/commit/20d21f8eeb2b5f28ca702b936a82720358646b8c

Comment From: jzheaux

Thanks for the report, @jksevend. I've scheduled this for the next maintenance release.

Comment From: jzheaux

@jksevend, actually, this now appears to be a duplicate of https://github.com/spring-projects/spring-security/issues/10909, which was backported to 5.6 and will come out in the next maintenance release.