spring security - EnableReactiveMethodSecurity for a reactive kotlin application with coroutines

Question

Assuming I have a spring-boot application (2.4.1) written in Kotlin with using coroutines for reactiveness. I consciously avoided using the Reactor's Mono/Flux in favor of coroutines with suspended functions. I need to set up Method Security from Spring Security in order to use @PreAuthorized annotation. Here is my controller:

@RestController
@CrossOrigin(origins = arrayOf("*"))
class SearchController(private val searchService: SearchService) {

    @PreAuthorize("hasRole('SOME_ROLE')")
    @PostMapping("/v3/global-entities/{globalEntityId}/something")
    suspend fun something(
        @PathVariable globalEntityId: String,
        @RequestBody @Valid something: Something
    ): SomethingCollection =
        searchService.findSomething(globalEntityId, something)
}

and Spring Security configuration:

@Configuration
@EnableReactiveMethodSecurity
@EnableWebFluxSecurity
class SecurityConfiguration {
    companion object {
        val UNPROTECTED_ENDPOINTS = arrayOf("/version", "/health", "/metrics")
    }

    @Bean
    fun springSecurityFilterChain(
        http: ServerHttpSecurity,
        securityContextRepository: ServerSecurityContextRepository
    ): SecurityWebFilterChain {
        return http.securityContextRepository(securityContextRepository)
            .csrf().disable()
            .httpBasic().disable()
            .authorizeExchange()
            .pathMatchers(HttpMethod.GET, *UNPROTECTED_ENDPOINTS).permitAll()
            .anyExchange().authenticated()
            .and()
            .exceptionHandling().accessDeniedHandler(accessDeniedHandler())
            .and()
            .build()
    }
}

When I try to test the endpoint I get following error:

java.lang.IllegalStateException: The returnType class java.lang.Object on public java.lang.Object com....SearchController.something(java.lang.String,com...Something,kotlin.coroutines.Continuation) must return an instance of org.reactivestreams.Publisher (i.e. Mono / Flux) in order to support Reactor Context
    at org.springframework.util.Assert.state(Assert.java:97) ~[spring-core-5.3.2.jar:5.3.2]
    Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 

Any recommendations on how to workaround it?

PS it seems to be a known limitation please vote on the https://github.com/spring-projects/spring-security/issues/8143 to get it fixed by spring guys.

Answer 1

等待大神答复