SpringBoot @WebMvcTest permitAll() no longer works after upgrade to 2.6.0

After upgrading to 2.6.0 a @WebMvcTest controller test for an unauthenticated endpoint no longer works, because a 401 instead of a 200 is returned.

This looks similar to the @SpringBootTest issue https://github.com/spring-projects/spring-boot/issues/28759

Minimal repro:

@Order(1)
@Configuration
public class Security extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().antMatcher("/test/**").authorizeRequests()
                .antMatchers("/test").permitAll()
                .anyRequest().authenticated();
    }
}
@Order(2)
@Configuration
public class BaseSecurity extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated();
    }
}
@RestController
public class Controller {
    @GetMapping("/test")
    public String test() { return "test"; }
}
@WebMvcTest(Controller.class)
class ControllerTest {
    @Autowired
    private MockMvc mockMvc;
    @Test
    void test() throws Exception { mockMvc.perform(get("/test")).andExpect(status().isOk()); }
}

Comment From: wilkinsona

Thanks for the report. This is a duplicate of #28759 (@WebMvcTest uses @AutoConfigureMockMvc under the covers).