Describe the bug this is how I configure http security using the SS 6.4.3

  @Bean
  open fun securityFilterChain(http: HttpSecurity, authManager: AuthenticationManager): SecurityFilterChain {
    http {
      authorizeHttpRequests {
        authorize(HttpMethod.OPTIONS, "/**", permitAll)
         authorize(HttpMethod.GET, "/swagger-ui.html", permitAll)       
        authorize(anyRequest, authenticated)
      }
      csrf { disable() }
      sessionManagement {
        sessionCreationPolicy = SessionCreationPolicy.STATELESS
      }
      addFilterBefore<AuthorizationFilter>(MyFilter(processor, authManager))
    }
    return http.build()
  }

even though '/swagger-ui.html' is configured to skip authentication, MyFilter is found applied to /swagger-ui.html. It was not the case with SS 5.4

if I enable debug in security config, here is the list of filters applied to '/swagger-ui/*'

servletPath:/swagger-ui/swagger-ui.css pathInfo:null headers: host: localhost:8090 connection: keep-alive sec-ch-ua-platform: "macOS" user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 accept: / sec-fetch-site: same-origin sec-fetch-mode: cors sec-fetch-dest: empty referer: http://localhost:8090/ accept-encoding: gzip, deflate, br, zstd accept-language: en-US,en;q=0.9

Security filter chain: [ DisableEncodeUrlFilter WebAsyncManagerIntegrationFilter SecurityContextHolderFilter HeaderWriterFilter LogoutFilter MyFilter RequestCacheAwareFilter SecurityContextHolderAwareRequestFilter AnonymousAuthenticationFilter SessionManagementFilter ExceptionTranslationFilter AuthorizationFilter ]

To Reproduce Steps to reproduce the behavior.

Expected behavior filter added later should NOT be applied to paths configured with permitAll

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.