Spring Security Spring Boot 3.0 application failing to start with oauth2-resource-server and spring actuator

Describe the bug We are migrating an application from spring boot 2.7.5 to 3.0, the application is failing to start with an error that says authenticationManager cannot be null. I noticed that this error is only reproducible when using the spring-boot-starter-actuator dependency with the spring-boot-starter-oauth2-resource-server dependency.

I did do some digging through the HttpSecurity class and I can see the error is coming from the beforeConfigure function. I noticed that in the beforeConfigure function, it's trying to get an AuthenticationManager but because we are using an AuthenticationManagerResolver it does not get one back and when it tries to create a new ObservationAuthenticationManager object it is failing in the constructor because the AuthenticationManager is null. Its was most likely introduced in this commit

To Reproduce To reproduce you can clone the sample application I provided and run it in your favorite IDE.

Expected behavior For the application to start successfully when the application is configured to use Oauth2 Resource Server along with spring boot actuator.

Sample I cloned one of the spring security samples and made a few changes to mimic the application we are migrating. You can find it [here](https://github.com/coderWhoMe/multi-tenancy-oauth)

https://github.com/coderWhoMe/multi-tenancy-oauth

Comment From: marcusdacoregio

Hi @coderWhoMe, thank you for the report.

I was able to simulate the same problem without using OAuth2 Resource Server by doing:

@Bean
SecurityFilterChain apiSecurity(HttpSecurity http) throws Exception {
    http.anonymous(AnonymousConfigurer::disable);
    return http.build();
}

@Bean
AuthenticationProvider authenticationProvider1() {
    return new AuthenticationProvider() {
        @Override
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            return null;
        }

        @Override
        public boolean supports(Class<?> authentication) {
            return false;
        }
    };
}

@Bean
AuthenticationProvider authenticationProvider2() {
    return new AuthenticationProvider() {
        @Override
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            return null;
        }

        @Override
        public boolean supports(Class<?> authentication) {
            return false;
        }
    };
}

I feel that the HttpSecurity#beforeConfigure method should check if the AuthenticationManager created by the AuthenticationManagerBuilder is not null. I'll check with @jzheaux what he thinks about this.