26.04.2017 - This places it after the actuator endpoints but before the basic authentication The default can be restored by setting security.oauth2.resource.filter-order = 3..