SpringBoot Cannot access a Jolokia endpoint with spring security on

I have Spring Boot 3.1.5 and inside yaml I have:

management:
  security:
    enabled: false
  endpoint:
    metrics.enabled: true
    httptrace.enabled: true
    shutdown.enabled: true
  endpoints:
    web.exposure.include: metrics, health, info, httptrace, jolokia
    jmx.exposure.include: health

I also have spring security on cp, and I think that I have enabled the path correctly:

@Bean
 public SecurityFilterChain getSecurityFilterChain(HttpSecurity http) throws Exception {

        return http.csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(
                        (requests) ->
                                requests.requestMatchers(HttpMethod.GET,
                                                Stream.concat(
                                                                Arrays.stream(AUTH_WHITELIST),  //{"/actuator/**"};
                                                                Arrays.stream(OPEN_API_WHITELIST)) //other swagger endpoints etc
                                                        .toArray(String[]::new))
                                        .permitAll()
                                        .anyRequest()
                                        .authenticated())
                .sessionManagement(
                        session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .exceptionHandling(
                        httpSecurityExceptionHandlingConfigurer ->
                                httpSecurityExceptionHandlingConfigurer.authenticationEntryPoint(
                                        new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)))
                .csrf()
                .disable()
                .logout()
                .disable()
                .build();
    }

I get 401 at http://localhost:8080/actuator/jolokia

I also added a bean as suggested on the docs:

@Bean
    public ServletRegistrationBean<AgentServlet> jolokia() {
        ServletRegistrationBean<AgentServlet> jolokiaServlet = new ServletRegistrationBean<>(new AgentServlet(), "/jolokia/*");
        jolokiaServlet.setLoadOnStartup(0);
        jolokiaServlet.setAsyncSupported(true);
        jolokiaServlet.setInitParameters(Map.of(ConfigKey.DEBUG.getKeyValue(), "true"));
        jolokiaServlet.setInitParameters(Map.of(ConfigKey.AGENT_DESCRIPTION.getKeyValue(), "Spring Servlet Jolokia Agent"));
        return jolokiaServlet;
    }

Don't understand this log line: [o.a.c.c.C.[Tomcat].[localhost].[/]] SID= CID= [restartedMain] correlationId= channel= externalReferenceId= jolokia: No access restrictor found, access to any MBean is allowed

Related with:

https://github.com/spring-projects/spring-boot/issues/37568

Comment From: wilkinsona

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add some more details if you feel this is a genuine bug.