Spring RestController gets redirected to Login no matter what I do

I have a @RestController which acts as a webhook for another API. When the other app posts to the webhook Vaadin 302 redirects it back to the LoginView no matter what I do with antMatchers or @AnonymousAllowed or @969550907647852604mitAll annotation.

This is from the class that extends VaadinWebSecurity:

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests().antMatchers("/VAADIN/**", "/", "/webhook")
            .permitAll();

    super.configure(http);
    setLoginView(http, LoginView.class);
}

And, here’s the RestController…

@RestController
@AnonymousAllowed
public class ATWebhookController {

@PostMapping("/webhook")
public ResponseEntity handleWebhook(@RequestBody String payload) {
    // process the payload and return an appropriate response

    return new ResponseEntity(HttpStatus.OK);
}

By default CSRF is active when using non-vaadin endpoints resulting in Spring security rejecting your request because of no CSRF Token. You can debug this by enabling spring security debug