Spring Security with multiple security models configured with SecurityFilterChain ignores authentication configuration

Question

I am trying to build a Spring Boot application, that has different security models for different URLs. So I try to avoid creating a global AuthenticationManager bean, but instead configure it in the Spring Security DSL as described here: https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter

However MyAuthProvider does not get called in either a/ or b/. I would expect it to be called in both examples.

Surprisingly a/ returns 403 Access Denied and b/ returns 200 OK

What am I doing wrong?

Complete example provided here as a single class Spring Boot application (2.7.3)

package com.example.demo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import java.util.Set;

@SpringBootApplication
public class DemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }

    @Bean
    public SecurityFilterChain secureA(HttpSecurity http) throws Exception {

        http.authorizeRequests(auth ->
                auth.antMatchers("/a").hasRole("a")
        );
        http.authenticationProvider(new MyAuthProvider("a"));

        return http.build();
    }

    @Bean
    public SecurityFilterChain secureB(HttpSecurity http) throws Exception {

        http.authorizeRequests(auth ->
                auth.antMatchers("/b").hasRole("b")
        );
        http.authenticationManager(new ProviderManager(new MyAuthProvider("b")));

        return http.build();
    }

    @RestController
    public class RestService {
        @GetMapping("/a")
        public String a() {
            return "hello a";
        }

        @GetMapping("/b")
        public String b() {
            return "hello b";
        }

        @GetMapping("/c")
        public String c() {
            return "hello c";
        }
    }

    class MyAuthProvider implements AuthenticationProvider {

        private String cfg;

        public MyAuthProvider(String cfg) {
            this.cfg = cfg;
        }

        @Override
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            System.out.println("authenticate " + cfg);
            var roles = Set.of(new SimpleGrantedAuthority("ROLE_" + cfg));
            return new UsernamePasswordAuthenticationToken("user", "pass", roles);
        }

        @Override
        public boolean supports(Class<?> authentication) {
            System.out.println("supports " + cfg);
            return true;
        }
    }

}