5e3cc95ccf
Actually the web-secure sample is misusing security.basic.enabled=false (IMO) - it should be a flag to say that you want to temporarily disable the basic security fallback on application endpoins, not way to disable all security autoconfiguration. Added test case to web-secure sample to ensure a user can log in. Fixes gh-979