According to docs method level security settings must overwrite repository level settings. But it fails when it comes to URI conversion:
Failed to convert from type [java.net.URI] to type [kz.toyville.back.catalog.domain.entity.Category] for value '/category/1'; nested exception is org.springframework.security.access.AccessDeniedException: Access is denied"},"message":"Failed to convert /category/1 into kz.toyville.back.catalog.domain.entity.Category!
How To Reproduce
Run the "List toys for a category" test in the sample (link is below).
Test List toys for a category (in CatalogWebTest) must not fail.