We now protect actuator endpoints out the box but without Spring Security there's no way to login. It might be possible for us to implement basic auth ourselves.
After considering all the options I don't think that we should do this. Although it may not be too much code, I think it's quite confusing to have security features sometimes implemented by us and sometimes by Spring Security.
The current situation is quite easy to describe and I think it's pretty reasonable. You need to be a member of the "actuator" group or you need to disable endpoint security if you want to get access. We don't really care how login occurs, as long as the HttpServletRequest is populated appropriately.