I have a Spring Boot application that uses Spring Security. My configuration worked fine in version 6.0.1, allowing access to APIs specified in the AUTH_WHITELIST. However, after upgrading to Spring Security 6.3.3, my custom /login REST endpoint returns a 401 Unauthorized error, even though it is included in the AUTH_WHITELIST.
Previous Configuration (Spring Security 6.0.1)

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@RequiredArgsConstructor
@EnableWebMvc
public class SecurityConfig {

    private static final String[] AUTH_WHITELIST = {
            "/v3/api-docs/**",
            "/actuator/**",
            "/swagger-ui/**",
            "/login**",
            "/error**"
    };
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    
        http.cors()
                .and().csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .requestMatchers(AUTH_WHITELIST).permitAll()
                .anyRequest().permitAll()
        ;
    
        return http.build();
    }

}

i work well i can access any api in AUTH_WHITELIST just fine. then i try to update my work using spring 6.3.3. with configuration like this

@Configuration @EnableWebSecurity @EnableMethodSecurity @RequiredArgsConstructor @EnableWebMvc public class SecurityConfig {

    private static final String[] AUTH_WHITELIST = {
            "/v3/api-docs/**",
            "/actuator/**",
            "/swagger-ui/**",
            "/login**",
            "/error**"
    };
    
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception{
        http
                .csrf(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests((authorize) -> authorize
                        .dispatcherTypeMatchers(DispatcherType.FORWARD, DispatcherType.ERROR).permitAll()
                        .requestMatchers(AUTH_WHITELIST).permitAll()
                        .anyRequest().authenticated()
                )
                .httpBasic(Customizer.withDefaults())
                .formLogin(AbstractHttpConfigurer::disable)
        ;
        return http.build();
    }

}

for swagger related its still work fine, but for Restcontroller api like /login that i created. its retrun 401

this is simple restcontroller for login, its do not change for spring-security 6.0.1 or .6.3.3

@Slf4j
@RestController
@RequestMapping("/login")
@Tag(name = "Login")
public class LoginController {

    @Autowired
    private LoginService service;
    
    @Autowired
    private UserLoginService userService;
    
    
    @PostMapping("/username")
    @Operation(summary = "Login", method = "POST")
    public ResponseEntity<LoginResponse> login(@RequestBody LoginRequest request, HttpServletRequest servletRequest) {
    
        LoginResponse dto = service.login(request, servletRequest);
        return ResponseEntity.ok(dto);
    }
    
    @PostMapping("/signup")
    @Operation(summary = "Sign Up", method = "POST")
    public ResponseEntity<UserLoginDto> signUp(@RequestBody SignUpRequest request, HttpServletRequest servletRequest) {
    
        UserLoginDto dto = userService.create(request, servletRequest);
        return ResponseEntity.ok(dto);
    }

}

is any thing wrong with how i do migration? cause i has made 5 different project try new spring-security configuration i never make it work. and i always back to spring 6.0.1 or even before that

api /login should not need authentication