I have reproduced the problem. I got a 403 response when I didn't send the UserInfo JSON data to the /save endpoint. When I send the JSON data correctly, I receive a 200 response. I've used the securityFilterChain like yours.

Can you share your UserInfo class? I think there's missing a setter method or appropriate constructor.