Looks like spring-security-3.1.xsd needs an update. I was checking through the bean definition parsers to figure out precisely what auto-config does these days, and this description found in the xsd no longer fits:
"Automatically registers a login form, BASIC authentication, anonymous authentication, logout services, remember-me and servlet-api-integration. If set to "true", all of these capabilities are added (although you can still customize the configuration of each by providing the respective element). If unspecified, defaults to "false"."
For one, it no longer configures remember-me (see
SEC-1044.) Best I can tell, it does only three things:
1) form auth
2) basic auth
So these need to be removed due to no longer being enabled by auto-config:
And this needs to be removed due to ALWAYS being configured by the <http> element regardless of auto-config (as long as you don't manually set it to false):
Double-check me, but I think this is right.