Spring Security Reactive Security: Controller method annotated with @PreAuthorize should be considered in test

Expected Behavior

With WebFlux, mockUser() must have effect if a controller method is annotated with @PreAuthorize. It hasn't any effect when running a test.

Current Behavior

Test Below:

@ExtendWith(MockitoExtension.class)
@WebFluxTest(ItemController.class)
class ItemControllerTest {
    ...

    @Test
    void testFailsWhenNotAuthorizedUserChangesItem() {
        // Used with CustomUserDetails(long userId, String username, String password, Collection<? extends GrantedAuthority> authorities), which implements UserDetails
        webTestClient.mutateWith(mockUser(new CustomUserDetails()))
                     .post()
                     .uri("URL")
                     .exchange()
                     .expectStatus().isForbidden();
}

Controller Below:

@PostMapping
@PreAuthorize("@itemRoleChecker.hasOwnerRole(authentication, #itemIdx)")
public Mono<ResponseEntity<ResponseDto>> updateItem(...) { ... }

It requires returning Forbidden but result turns out to be 200 OK because test doesn't consider @PreAuthorize.

---

In SecurityConfig, I added @EnableReactiveMethodSecurity to use annotations.

Comment From: kworkbee

Wrong label, will change to another issue with another label