According to http://projects.spring.io/spring-security-oauth/docs/oauth2.html:
N.B. the Authorization endpoint /oauth/authorize (or its mapped alternative) should be protected using Spring Security so that it is only accessible to authenticated users.
Why is that? It doesn't sound right that an endpoint that will require an authorization grant to exchange for an authorization code should be secured. It's like a login page for a login page, specially when Authorization grant will be through resource owner password credentials.
oAuth2 authorization works in two steps:
Step 2 happens on /oauth/authorize and step 1 happens elsewhere in your application (most likely through a form-login backed by Spring Security).
If you don't protect /oauth/authorize you will end up granting authorization without authenticating the user (or you won't because without an authenticated session you probably have no idea who the user is).