Spring Security Regression: ServerHttpSecurity ignore calls to permitAll() starting with 6.0.0-M7

Describe the bug Starting with Spring Security 6.0.0-M7 (used by Spring Boot 3.0.0-M5), calls to permitAll() when configuring ServerHttpSecurity seem to be ignored.

I'm working on preparing a Spring Boot 2.7-based application for Spring Boot 3. When upgrading from Spring Boot 3.0.0-M4 to 3.0.0-M5, I started to get 401 on APIs that are configured to not require any authorization. The problem remains in Spring Boot 3.0.0-RC1.

To Reproduce 1. Unzip the attached sample code. 2. Build and start the server with: ./gradlew clean test bootRun 3. Run the following three curl commands:

```
curl localhost:8080/actuator/health -w ", %{http_code}\n"
curl localhost:8080/api/open -w ", %{http_code}\n"
curl localhost:8080/api/protected -w "%{http_code}\n"
```

Expect them to return:

```
{"status":"UP"}, 200
{"result":"open"}, 200
401
```

1. Change the Spring Boot version in the file build.gradle to 3.0.0-M5 or 3.0.0-RC1

2. Repeat steps 2 and 3. The responses from the curl commands will now be:

   , 401 , 401 401

Expected behavior

That the APIs configured to "permit-all" (/actuator/health and /api/open) do not return 401.

Sample product-composite-service.zip

The Security configuration looks like:

@EnableWebFluxSecurity
public class SecurityConfig {

  @Bean
  SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
      .authorizeExchange()
        .pathMatchers("/actuator/**").permitAll()
        .pathMatchers("/api/open").permitAll()
        .anyExchange().authenticated()
        .and()
      .oauth2ResourceServer()
        .jwt();
    return http.build();
  }
}

Comment From: marcusdacoregio

Hi @magnus-larsson, thanks for the report.

This is related to https://github.com/spring-projects/spring-security/pull/11653. Now, in addition to @EnableWebFluxSecurity, you also have to add @Configuration to the class in order to make Spring pick it up and define its beans. If you don't add the annotation, Spring Boot will add the default security and all the endpoints will be protected, resulting in 401 for your endpoints.

Comment From: magnus-larsson

Hello @marcusdacoregio and thanks for pointing out this breaking change!

It was clearly pointed out in the release notes: https://github.com/spring-projects/spring-security/releases/tag/6.0.0-M7

Next time, I'll read them through more carefully before submitting a bug report :-)