Permit unauthenticated access to health/info/prometheus actuator endpoints

Spring Boot 4 applies the application's SecurityFilterChain to the
management port, so the existing anyRequest().authenticated() rule
caused /actuator/health to return 401 and broke prod healthchecks.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Brutus5000

src/main/java/com/faforever/api/config/security/WebSecurityConfig.java

@@ -1,6 +1,7 @@
 package com.faforever.api.config.security;
 
 import com.faforever.api.security.FafAuthenticationConverter;
+import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
@@ -37,6 +38,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
     });
     http.authorizeHttpRequests(authorizeConfig -> {
       authorizeConfig.requestMatchers(HttpMethod.OPTIONS).permitAll();
+      authorizeConfig.requestMatchers(EndpointRequest.to("health", "info", "prometheus")).permitAll();
       // Swagger UI
       authorizeConfig.requestMatchers(
         "/swagger-ui/**",