There are few issues that I saw in first place(Im not expert). When you are working with custom security configs in springboot, you should disable the default sec.config. Usually "Using generated security password: 4f50cde6-c1ad-406e-9968-6e51b6b05bc0" this massage indicates that Spring Security's default setup is still active and providing the default user (user) with a generated password. And, disable the csrf if you don't need.