Minha classe SecurityConfigurations está configurada da seguinte forma:

@Autowired
    private FilterSecurity filterSecurity;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http.csrf(csrf -> csrf.disable())
                .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(req -> {
                    req.requestMatchers(HttpMethod.POST, "/login").permitAll();
                    req.anyRequest().authenticated();
                })
                .addFilterBefore(filterSecurity, UsernamePasswordAuthenticationFilter.class)
                .build();
    }

Quando eu bato na rota /login, é retornado Erro 403. Por algum motivo ele está ignorando minha definição no método requestMatchers e está tentando validar o token.

Stacktrace do erro:

java.lang.RuntimeException: Invalid or expired JWT token
    at med.souza.api.infra.security.TokenService.getSubject(TokenService.java:43) ~[classes/:na]
    at med.souza.api.infra.security.FilterSecurity.doFilterInternal(FilterSecurity.java:32) ~[classes/:na]

FilterSecurity::32

if (tokenJWT != null) {
            **String subject = tokenService.getSubject(tokenJWT);**
            var user = userRepository.findByLogin(subject);

            Authentication auth = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
            SecurityContextHolder.getContext().setAuthentication(auth);
        }

TokenService::43

public String getSubject(String tokenJWT) {
        try {
            Algorithm algorithm = Algorithm.HMAC256(secret);
            return JWT.require(algorithm)
                    .withIssuer("API Med Souza")
                    .build()
                    .verify(tokenJWT)
                    .getSubject();
        } catch (JWTVerificationException e) {
**            throw new RuntimeException("Invalid or expired JWT token");
**        }
    }