Remove default HttpSecurity.securityMatcher() for authorization server

Closes gh-17965

Author: jgrandja

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java

@@ -396,8 +396,6 @@ public void init(HttpSecurity httpSecurity) {
 					new OrRequestMatcher(preferredMatchers));
 		}
 
-		httpSecurity.securityMatchers((securityMatchers) -> securityMatchers.requestMatchers(this.endpointsMatcher));
-
 		httpSecurity.csrf((csrf) -> csrf.ignoringRequestMatchers(this.endpointsMatcher));
 
 		if (getConfigurer(OAuth2ClientRegistrationEndpointConfigurer.class) != null) {

docs/modules/ROOT/pages/servlet/oauth2/authorization-server/getting-started.adoc

@@ -132,10 +132,11 @@ public class SecurityConfig {
 
 		// @formatter:off
 		http
-			.oauth2AuthorizationServer((authorizationServer) ->
+			.oauth2AuthorizationServer((authorizationServer) -> {
+				http.securityMatcher(authorizationServer.getEndpointsMatcher());
 				authorizationServer
-					.oidc(Customizer.withDefaults())	// Enable OpenID Connect 1.0
-			)
+					.oidc(Customizer.withDefaults());	// Enable OpenID Connect 1.0
+			})
 			.authorizeHttpRequests((authorize) ->
 				authorize
 					.anyRequest().authenticated()