what is the use of auto-config=true in spring security. In which scenario we should use this. what is the actual use of using auto-config=true ?

auto-config="true" is equivalent to:

<http>
    <form-login />
    <http-basic />
    <logout />
</http>

so it gives you a very basic security configuration to boot.

Source: https://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-auto-config

auto-config='true' means for the intercept-url pattern the spring security provides the default login screen

This is one of the cases where we use auto-config = true:

<http auto-config='true'>
  <intercept-url pattern="/**" access="ROLE_USER" />
</http>

This declaration means we want all URLs within our application to be secured, requiring the role ROLE_USER to access them. The element is the parent for all web-related namespace functionality. The element defines a pattern which is matched against the URLs of incoming requests using an ant path style syntax

Spring Security Reference:

"Use of this attribute is not recommended. Use explicit configuration elements instead to avoid confusion."

Source: https://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/html5/#nsa-http-attributes