I have a Spring MVC application which uses xml based configuration for spring-security and bean definitions. We are migrating to Spring 6 and using spring-authorization-server for oauth2 functionality. As spring-authorization-server does not support xml based configuration for authorization server and resource server for configuring securityFilterChain, we are trying to configure it using Java. But, the new securityFilterChain is never called unless we explicitly define it as a bean in the xml files where other configuration are defined.

But the problem in defining it in xml as a bean is it messes up the entire project and many beans give error about nullpointer exception. It seems like 2 separate securityFilterChain objects are created and many beans are created more than once (verified by their hashcode values).

How do I safely integrate the new java based securityFilterChain configuration into my xml config files. I tried the solution mentioned in Spring Security - How to mix xml <security:http> and Java SecurityFilterChain declaration configurations? but it doesn't work somehow.