The default behaviour of Spring Security is that all endpoints are secured by default.
In order to ignore authentication on spring-actuator endpoints you need to provide this bean:
@Bean
public WebSecurityCustomizer webSecurityCustomizer() {
return (web) -> web.ignoring()
.requestMatchers(new AntPathRequestMatcher("/actuator/**"));
}
Source: https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter