SpringBoot Spring-Boot 2.0.2 actuator with Spring-Security, /shutdown is forbidden

My Spring-Boot config is working fine except the /actuator/shutdown endpoint is forbidden. I can access all of the other endpoints using http basic auth, but trying a POST to shutdown returns 403.

        compile('org.springframework.boot:spring-boot-starter-security')

@Configuration
    public static class ActuatorWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            http.requestMatcher(EndpointRequest.toAnyEndpoint()).authorizeRequests()
                    .anyRequest().hasRole("ACTUATOR")
                    .and()
                    .httpBasic();
        }
    }

management.endpoints.web.exposure.include=*
management.endpoint.health.show-details=always
management.info.git.mode=full
management.endpoint.shutdown.enabled=true
spring.security.user.name=actuator
spring.security.user.password=password
spring.security.user.roles=ACTUATOR

Comment From: snicoll

This behaviour is documented in the reference guide