Default filter chain configuration is excluded in M1 release when actuator starter is on the classpath

[gbaso]

Describe the bug
In Spring Boot 4.0.0-M1 the actuator autoconfiguration has precedence over the authorization server autoconfiguration, opposite than in 3.5.x. Therefore ManagementWebSecurityAutoConfiguration will evaluate @ConditionalOnDefaultWebSecurity to true and publish its SecurityFilterChain. OAuth2AuthorizationServerWebSecurityConfiguration is next, it will evaluate @ConditionalOnDefaultWebSecurity to false and will not configure the SecurityFilterChain with OAuth2AuthorizationServerConfigurer, breaking the declarative configuration via application.properties.

To Reproduce
Create a new spring project from start.spring.io. Choose Spring Boot 4.0.0-M1, Spring Web, OAuth2 Authorization Server and Spring Boot Actuator.

Configure a client:

spring:
  security:
    oauth2:
      authorizationserver:
        client:
          sample:
            registration:
              client-id: "sample"
              client-secret: "{noop}secret"
              client-authentication-methods:
                - "client_secret_basic"
              authorization-grant-types:
                - "client_credentials"
              scopes:
                - "name.read"

Start the server and go to http://localhost:8080/.well-known/oauth-authorization-server. A login page will appear.

Expected behavior
Configured client should be registered, and well known oauth endpoints should be public.

[jgrandja]

@gbaso Please log this issue with Spring Boot.