So, this was a very unexpected problem, quite a goofy one.

In my application I had

@ComponentScan(basePackages = {"path.to.a.package.from.external.module.with.generic.spring.auth.components",
 "path.to.a.package.with.local.spring.security.customizations.with.typo"})

Note the part with.typo - I was completely shadowing my custom implementation, including my custom security chain from above. Interestingly, Spring did not complain about this problem. Maybe this is expected because the package might exist, but providing no components? I switched to Idea Ultimate in the meantime and now it shows me such packages, but I just wonder if this is fair tradeoff, given the fact it might cover bugs extremely well.