I believe that the problem is in the order of your rules:
.antMatchers("/admin/**").hasRole("ADMIN")
.antMatchers("/admin/login").permitAll()
The order of the rules matters and the more specific rules should go first. Now everything that starts with /admin
will require authenticated user with ADMIN role, even the /admin/login
path (because /admin/login
is already matched by the /admin/**
rule and therefore the second rule is ignored).
The rule for the login page should therefore go before the /admin/**
rule. E.G.
.antMatchers("/admin/login").permitAll()
.antMatchers("/admin/**").hasRole("ADMIN")