the request under spring security oauth2, control / api is used on the basis of the original spring security. I browsed a lot of configurations on the Internet, but during the test, I found that the resource control of spring security and the resource control of spring securtiy oauth2 will cover each other, so it is impossible to separate the control. If security.oauth2.resource.filter-order=3, is added to the configuration, the control of spring security is used, and vice versa, the control of oauth2 is used.

code is as follows:

Spring security configuration:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private UserManagerService userManagerService;
    
    @Override
    @Bean //oauth2
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
    
    /**
     * 
     */
    @Bean
    public BCryptPasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            // csrf
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/oauth/**").permitAll()
                .antMatchers("/**/*.js", "/**/*.css", "/**/*.png",
                        "/**/*.gif", "/**/*.jpg", "/**/*.jpeg", "/**/*.map",
                        "/**/*.ico").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/user/login_page")
                .loginProcessingUrl("/login")
                .usernameParameter("username")
                .passwordParameter("password")
                .successHandler(new CustomSimpleUrlAuthenticationSuccessHandler())
                .failureHandler(new CustomSimpleUrlAuthenticationFailureHandler())
                .permitAll()
                 .and()
             .logout()
                 .logoutUrl("/logout")
                 .logoutSuccessUrl("/user/login_page")
                 .permitAll();
    }
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.userDetailsService(userManagerService)
        .passwordEncoder(passwordEncoder());
    }
    
}

Spring security oatuth2 configuration:

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration
        extends AuthorizationServerConfigurerAdapter {
    @Autowired
    AuthenticationManager authenticationManager;
    @Autowired
    private UserManagerService userManagerService;
    
    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints.tokenStore(tokenStore())
                .userDetailsService(userManagerService)
                .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security)
            throws Exception {
        // 
        security
                .allowFormAuthenticationForClients();
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.inMemory()
                .withClient("cmdb")
                .authorizedGrantTypes("password", "refresh_token")
                .secret("api")
                .scopes("xxx");
    }
}

@Configuration
@EnableResourceServer
public class ResourceServerConfiguration
        extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/api/**").authenticated();
    }
}

I have consulted many blogs before and checked the authorization process of several modes of spring oauth2, but I did not find the reason