Spring Security 2.5.0 @PreAuthorize is not applied when used on a kotlin flow

Describe the bug @PreAuthorize is not applied when used on a kotlin Flow (while working for Flux and Mono)

To Reproduce

(see README of sample repo for a setup + tests)

@PreAuthorize("denyAll")
fun deniedFlow(): Flow<String>

and the implementation

override fun deniedFlow(): Flow<String> {
  return deniedService.multipleAsFlow()
}

Calling

fooService.deniedFlow().asFlux().blockFirst() 

does not throw AccessDeniedException. and calls the deniedService.multipleAsFlow().

Expected behavior

I expect that deniedService.multipleAsFlow is not executed and instead an AccessDeniedException is thrown.

Sample

https://github.com/RobertHeim/spring-security-bug-preauth-coroutines-flow

Workarounds Changing the implementation to one of the following makes the PreAuthorize throw an AccessDeniedException as expected:

Option 1: wrap the implementation in a new flow {}

override fun deniedFlow(): Flow<String> {
  return flow { emitAll(deniedService.multipleAsFlow()) }
}

Option 2: use Flux and convert to Flow in the outer scope.

override fun deniedFlow(): Flux<String> {
  return deniedService.multipleAsFlow().asFlux()
}
// called like: deniedFlow().asFlow()

Comment From: eleftherias

Nice catch @RobertHeim! This is now fixed on main. Feel free to try it out with the latest 5.5.0-SNAPSHOT or with 5.5.0-RC2 next week.

Comment From: RobertHeim

Thanks for the followup and fix!