Spring Security Spring Security With Spring Webflux, returning 401 for private endpoints.

Hi All, I am getting 401 for private endpoints even after success token validation. This issue is happening with spring webflux only. I am attaching codes related to this issue. Can someone please help me here?

@Configuration
@EnableWebFluxSecurity
@EnableWebFlux
public class WebSecurityConfig {
    private FluxTokenAuthenticationFilter fluxTokenAuthenticationFilter;
    @Bean
    public SecurityWebFilterChain securitygWebFilterChain(ServerHttpSecurity http) {
        http
                .csrf().disable()
                .formLogin().disable()
                .httpBasic().disable()
                .securityMatcher(new PathPatternParserServerWebExchangeMatcher("/auth/**"))
                .authorizeExchange().pathMatchers(
                        "/checkemail", "/auth/signup", "/auth/login", "/user/finduserbyusername")
                .permitAll().anyExchange().authenticated()
                .and()
                .exceptionHandling(handling -> handling.authenticationEntryPoint(customAuthenticationEntryPoint()))
                .addFilterAt(fluxTokenAuthenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION)
                .cors();

        return http.build();
    }

    @Bean
    FluxCustomAuthenticationEntryPoint customAuthenticationEntryPoint() {
        return new FluxCustomAuthenticationEntryPoint();
    }

}

Log:-

2023-08-31 21:15:39.587  INFO 17012 --- [ctor-http-nio-3] o.c.a.s.FluxTokenAuthenticationFilter    : calling HotelJwtTokenCreator validateToken() to validate the token - eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJza3VsbDEiLCJpYXQiOjE2OTM0OTQwMTIsImV4cCI6MTY5MzUyMjgxMn0.XW4RvWR5BZZyjhwWMBUme_ZqApZI6LBBUIHHKrZTt5E
2023-08-31 21:15:39.588  INFO 17012 --- [ctor-http-nio-3] o.codespy.auth.jwt.HotelJwtTokenCreator  : HotelJwtTokenCreator validateToken(), token - eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJza3VsbDEiLCJpYXQiOjE2OTM0OTQwMTIsImV4cCI6MTY5MzUyMjgxMn0.XW4RvWR5BZZyjhwWMBUme_ZqApZI6LBBUIHHKrZTt5E and userDetails - org.codespy.auth.models.CustomUserDetails@2ae8e83f
2023-08-31 21:15:39.588  INFO 17012 --- [ctor-http-nio-3] o.codespy.auth.jwt.HotelJwtTokenCreator  : token inside getAllClaimsFromToken() , token - eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJza3VsbDEiLCJpYXQiOjE2OTM0OTQwMTIsImV4cCI6MTY5MzUyMjgxMn0.XW4RvWR5BZZyjhwWMBUme_ZqApZI6LBBUIHHKrZTt5E
2023-08-31 21:15:39.588  INFO 17012 --- [ctor-http-nio-3] o.codespy.auth.jwt.HotelJwtTokenCreator  : apiKeySecretBytes under getSigningKey() for secret - codespychannelspidysdsaddsddsddsdsaddaswerertertcfghfg 
2023-08-31 21:15:39.590  INFO 17012 --- [ctor-http-nio-3] o.codespy.auth.jwt.HotelJwtTokenCreator  : token inside getAllClaimsFromToken() , token - eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJza3VsbDEiLCJpYXQiOjE2OTM0OTQwMTIsImV4cCI6MTY5MzUyMjgxMn0.XW4RvWR5BZZyjhwWMBUme_ZqApZI6LBBUIHHKrZTt5E
2023-08-31 21:15:39.590  INFO 17012 --- [ctor-http-nio-3] o.codespy.auth.jwt.HotelJwtTokenCreator  : apiKeySecretBytes under getSigningKey() for secret - codespychannelspidysdsaddsddsddsdsaddaswerertertcfghfg 
2023-08-31 21:15:39.591  INFO 17012 --- [ctor-http-nio-3] o.c.a.s.FluxTokenAuthenticationFilter    : Given Token validated, and store userDetails in UsernamePasswordAuthenticationToken, token - eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJza3VsbDEiLCJpYXQiOjE2OTM0OTQwMTIsImV4cCI6MTY5MzUyMjgxMn0.XW4RvWR5BZZyjhwWMBUme_ZqApZI6LBBUIHHKrZTt5E, userDetails - org.codespy.auth.models.CustomUserDetails@2ae8e83f
2023-08-31 21:15:39.630 ERROR 17012 --- [     parallel-1] c.a.s.FluxCustomAuthenticationEntryPoint : Responding with unauthorized error. Message - Not Authenticated, header [transfer-encoding:"chunked"]
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: Not Authenticated

Let me know, if you need anything.

Comment From: sjohnr

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

Please note that if you feel you have found a bug in Spring Security, we do ask that you reduce the code to the minimal amount of code possible to reproduce the issue. This would include removing your custom filter, which I have not reviewed but could potentially be where the problem lies in your example.