Spring Security Resource Server jwkSetUri takes precedence over jwtDecoder in Kotlin DSL

Summary

When configuring both jwkSetUri and jwtDecoder in the Resource Server Kotlin DSL, the jwkSetUri always takes precedence. Instead, whichever was declared last should take precedence. Consider the following configuration

@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {

 override fun configure(http: HttpSecurity) {
     http {
         oauth2ResourceServer {
             jwt {
                 jwkSetUri = "https://example1.com/oauth2/jwk1"
                 jwtDecoder = NimbusJwtDecoder.withJwkSetUri("https://example2.com/oauth2/jwk2").build()
             }
         }
     }
 }
}

Actual Behavior

The JWT decoder uses the JWK Set URI "https://example1.com/oauth2/jwk1".

Expected Behavior

The JWT decoder should use the JWK Set URI "https://example2.com/oauth2/jwk2".

Note: This is a contrived example since it does not make sense to set both jwkSetUri and jwtDecoder in the same configuration. A realistic situation where this may occur is when inheriting from a parent configuration.