diff --git a/paladins-webservice/src/main/java/dev/luzifer/spring/config/WebSecurityConfig.java b/paladins-webservice/src/main/java/dev/luzifer/spring/config/WebSecurityConfig.java
index 1792263..1fbc1f7 100644
--- a/paladins-webservice/src/main/java/dev/luzifer/spring/config/WebSecurityConfig.java
+++ b/paladins-webservice/src/main/java/dev/luzifer/spring/config/WebSecurityConfig.java
@@ -13,9 +13,11 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.context.SecurityContextPersistenceFilter;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 
 @Configuration
 @EnableWebSecurity
@@ -39,7 +41,7 @@ public ApiKeyAuthFilter apiKeyAuthFilter(AuthenticationManager authenticationMan
   @Bean
   public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
     AuthenticationManager authenticationManager =
-        http.getSharedObject(AuthenticationConfiguration.class).getAuthenticationManager();
+        authenticationManager(http.getSharedObject(AuthenticationConfiguration.class));
 
     http.csrf(AbstractHttpConfigurer::disable)
         .formLogin(AbstractHttpConfigurer::disable)
@@ -48,12 +50,13 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
         .sessionManagement(
             session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
         .addFilterBefore(
-            apiKeyAuthFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class);
+            apiKeyAuthFilter(authenticationManager), SecurityContextPersistenceFilter.class);
 
     log.debug("API key: {}", apiKey);
     log.debug("API key header: {}", apiKeyHeader);
 
-    return http.build();
+    return new DefaultSecurityFilterChain(
+        http.getSharedObject(RequestMatcher.class), apiKeyAuthFilter(authenticationManager));
   }
 
   @Bean