locahost:port/user is protected but locahost:port/user/ (with one / ) isn't protected. I am also facing same issue and he seems to have the same issue though. Similar for other endpoints as well.

According to spring docs you should be using:

.antMatcher("/user/**")

or

.antMatcher("/admin/**")

instead of

.antMatcher("/user")

to secure your api endpoints.