Spring Security Resource Server clientCredentials take precedence over introspector in Kotlin DSL

Summary

When configuring both clientCredentials and introspector in the Resource Server Kotlin DSL for Opaque Token, the clientCredentials always take precedence. Instead, whichever was declared last should take precedence. Consider the following configuration

@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {

 override fun configure(http: HttpSecurity) {
     http {
         oauth2ResourceServer {
             opaqueToken {
                 introspectionUri = "https://example1.com/introspect"
                 introspectionClientCredentials("client1", "secret1")
                 introspector = NimbusReactiveOpaqueTokenIntrospector("https://example2.com/introspect", "client2", "secret2")
             }
         }
     }
 }
}

Actual Behavior

The introspection endpoint called is "https://example1.com/introspect" with the credentials "client1", "secret1"

Expected Behavior

The introspection endpoint that should be called is "https://example2.com/introspect" with the credentials "client2", "secret2"

Note: This is a contrived example since it does not make sense to set both introspector and introspectionClientCredentials in the same configuration. A realistic situation where this may occur is when inheriting from a parent configuration.