While upgrading to Spring Security 7 snapshots, I've noticed that AuditAutoConfiguration had @ConditionalOnClass on a class that no longer exists. Turns out these conditions on bean methods aren't legit as they don't prevent the signature of the method to be loaded. To be effective, they must but put on a @Configuration class where the condition can backoff before the type is loaded.
Perhaps we should review these usage and add a rule to prevent that from happening?