Попробуйте исправить на:
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf.ignoringRequestMatchers("/api/**"))
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/api/auth/**").permitAll()
.requestMatchers("/api/private").authenticated()
.anyRequest().permitAll()
)
.securityContext(securityContext -> {
securityContext.requireExplicitSave(false);
securityContext.securityContextRepository(new HttpSessionSecurityContextRepository());
})
return http.build();
}