I guess this is not related to kotlin and you should ask at spring gitter

At a conference now, so can't help that much, but I think there was a disableBasicAuth() on the http variable in your security bean