SpringBoot Default authorization server filter chain configuration is excluded in M1 release when actuator starter is on the classpath

Describe the bug In Spring Boot 4.0.0-M1 the actuator autoconfiguration has precedence over the authorization server autoconfiguration, opposite than in 3.5.x. Therefore ManagementWebSecurityAutoConfiguration will evaluate @ConditionalOnDefaultWebSecurity to true and publish its SecurityFilterChain. OAuth2AuthorizationServerWebSecurityConfiguration is next, it will evaluate @ConditionalOnDefaultWebSecurity to false and will not configure the SecurityFilterChain with OAuth2AuthorizationServerConfigurer, breaking the declarative configuration via application.properties.

To Reproduce Create a new spring project from start.spring.io. Choose Spring Boot 4.0.0-M1, Spring Web, OAuth2 Authorization Server and Spring Boot Actuator.

Configure a client:

spring:
  security:
    oauth2:
      authorizationserver:
        client:
          sample:
            registration:
              client-id: "sample"
              client-secret: "{noop}secret"
              client-authentication-methods:
                - "client_secret_basic"
              authorization-grant-types:
                - "client_credentials"
              scopes:
                - "name.read"

Start the server and go to http://localhost:8080/.well-known/oauth-authorization-server. A login page will appear.

Expected behavior Configured client should be registered, and well known oauth endpoints should be public.

Originally posted in https://github.com/spring-projects/spring-authorization-server/issues/2141