The @EnableWebSecurity is a marker annotation. It allows Spring to find (it’s a @Configuration and, therefore, @Component) and automatically apply the class to the global WebSecurity.
If I don’t annotate any of my class with
@EnableWebSecuritystill the application prompting for username and password.
Yes, it is the default behavior. If you looked at your classpath, you could find other classes marked with that annotation (depends on your dependencies):
SpringBootWebSecurityConfiguration;FallbackWebSecurityAutoConfiguration;WebMvcSecurityConfiguration.
Consider them carefully, turn the needed configuration off, or override its behavior.