Spring Security Autoconfiguration isn't stateless anymore

This is a follow up of https://twitter.com/rotnroll666/status/904998421618196481

The attached two projects are identical apart from being BUILD-SNAPSHOT vs M3. demo-sec-build-snapshot.zip demo-sec-m3.zip

There’s a simple REST controller in both projects:

@RestController
@RequestMapping("/api")
public class ApiController {

	@GetMapping("/greeting")
	public String getGreeting(
		final Principal principal)
	{
		return String.format(
			"Hello, %s.",
			Optional.ofNullable(principal)
				.map(Principal::getName)
				.orElse("Anonymous"));
	}
}

Spring Security generates a password in both cases and logs it to console as expected.

Basic auth does work with both projects.

But the build snapshot generates a session and a corresponding cookie / session id and offers a form login (which works)

curl -v http://localhost:8080/api/greeting
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /api/greeting HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.51.0
> Accept: */*
> 
< HTTP/1.1 302 
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Set-Cookie: JSESSIONID=81C71E0637FAA72F423FFBC4139BFA46; Path=/; HttpOnly
< Location: http://localhost:8080/login
< Content-Length: 0
< Date: Tue, 05 Sep 2017 09:18:52 GMT

Basic-Auth still works, though.

The session creation policy that was set to SessionCreationPolicy.STATELESS before disappeared through @mbhave’s change https://github.com/spring-projects/spring-boot/commit/e08ddbf838a54e589c07e2be36153a3f330f9550

If it stays that way it should be documented in the reference.