In method i need return page with info(else condition)

`public String createInvoice(String request, MerchantRequestInfo merchantRequestInfo) {
    if (isPaymentAvailable) {
    return invoiceClient.createInvoice(request, merchantRequestInfo).bodyToMono(String.class).block();
    } else {
        return "localhost:8080/invoice-result?RC=503";
    }
}`

Its redirect to mvc controller-blank
`@Slf4j
@Controller
@RequiredArgsConstructor
public class PaymentNotAvailableController {

    @RequestMapping({"/invoice-result"})
    public String failedInvoiceForm(@RequestParam Map<String, String> params) {
        return "forward:index.html";
    }
}`

Problem is, that spring security blocking this controller request, and in response link i get page: access deny for localhost

here spring security config
`@Configuration
@RequiredArgsConstructor
public class SecurityConfig {

@Bean
@Order(1)
public SecurityFilterChain apiSecurityFilterChain(HttpSecurity http,
                                                  MerchantAuthenticationProvider merchantAuthenticationProvider,
                                                  MerchantAuthenticationConverter merchantAuthenticationConverter,
                                                  MerchantAuthenticationSuccessHandler merchantAuthenticationSuccessHandler,
                                                  MerchantAccessDeniedHandler merchantAccessDeniedHandler,
                                                  MerchantAuthenticationEntryPoint merchantAuthenticationEntryPoint) throws Exception {
    var merchantAuthenticationFilter = new AuthenticationFilter(new ProviderManager(merchantAuthenticationProvider),
            merchantAuthenticationConverter);
    merchantAuthenticationFilter.setFailureHandler(merchantAuthenticationEntryPoint);
    merchantAuthenticationFilter.setSuccessHandler(merchantAuthenticationSuccessHandler);
    return http
            .securityMatcher("/api/**")
            .csrf(AbstractHttpConfigurer::disable)
            .cors(AbstractHttpConfigurer::disable)
            .sessionManagement(session -> session
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(auth -> auth
                    .anyRequest().authenticated())
            .addFilterBefore(merchantAuthenticationFilter, BasicAuthenticationFilter.class)
            .exceptionHandling(handler -> handler
                    .accessDeniedHandler(merchantAccessDeniedHandler)
                    .authenticationEntryPoint(merchantAuthenticationEntryPoint))
            .build();
}

@Bean
@Order(10)
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
    return http
            .sessionManagement(session -> session
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(auth -> auth
                    .requestMatchers("/swagger-ui.html", "/v3/api-docs/**", "/swagger-ui/**", "/webjars/swagger-ui/**").permitAll()
                    .requestMatchers("/actuator/**", "/schemas/**", "/invoice-result").permitAll()
                    .anyRequest().authenticated())
            .build();
}

}`

If i comment // method apiSecurityFilterChain, it is work normal

I tried put “/invoice-result”).permitAll() for my controller, but no result

Frontend and backend is locate in one service