We decided to implement separate security lib in our project. It will be shared among loads of our services. We created an @EnableApiKeyAuth annotation that imports our custom security config which implies the protection of all requests via a specific header. However, if we are going to use our library, but don't want to put this annotation in the application class, the default authentication will be enabled because of the presence of the spring-security-core in our lib's classpath. The obvious way to fix it is to exclude SecurityAutoConfiguration, but it's inconvenient since we are obliged to do that in every service where we don't want to use the aforementioned annotation. I implemented the so-called DefaultSecurityConfiguration in our security lib that is enabled only if there is no WebSecurityConfigurerAdapter in the application context. I suggest that this behavior is quite irrational. Could you fix it in the nearest time, please?