The default behaviour of Spring Security is that all endpoints are secured by default.

In order to ignore authentication on spring-actuator endpoints you need to provide this bean:

  @Bean
  public WebSecurityCustomizer webSecurityCustomizer() {
    return (web) -> web.ignoring()
        .requestMatchers(new AntPathRequestMatcher("/actuator/**"));
  }

Source: https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter