Spring Security Resource Server should identify unauthorized REST requests like HTTP Basic does

When a web application is configured for a browser-based authentication mechanism in addition to Resource Server, empty unauthenticated requests default to the browser-based mechanism.

For example, if an application does

http
    .authorizeRequests((authz) -> authz
        .anyRequest.authenticated()
    )
    .oauth2Login(withDefaults())
    .oauth2ResourceServer(withDefaults())

And then a REST request is made like so:

curl localhost:8080

Then the response will be a 302 instead of a 401.

The reason is because OAuth2ResourceServerConfigurer registers its AuthenticationEntryPoint only with the condition that the request contains an Authorization header. Because the above request has no Authorization header, Resource Server's entry point isn't activated.

HttpBasicConfigurer registers its AuthenticationEntryPoint with a condition that the request not appear to be a browser-based request. Thus, it's activated when there's a bad Authorization header, but also when it appears to be a REST request.

OAuth2ResourceServerConfigurer should adopt the strategy employed by HttpBasicConfigurer so that requests like:

curl localhost:8080

result in a 401 instead of a 302.