Spring Security @PreAuthorize in combination with kotlin coroutines and @Transactional does not proceed to invoke TransactionInterceptor

Describe the bug

Unsure whether or not this is a bug or expected behaviour. When annotating a suspending kotlin function with both @PreAuthorize and @Transactional and not returing a Mono/Flux/Flow the PrePostAdviceReactiveMethodInterceptor does not proceed to invoke the transaction interceptor. It is possible to work around this issue by for example moving the @Transactional annotation to the RestController

To Reproduce

@Service
class Dummy(private val repository: FooRepository) {
    @PreAuthorize("hasAnyAuthority('FOO', 'BAR')")
    @Transactional
    suspend fun foo(name: String): FooDto {
        val rowsUpdated = repository.insertSomethingSuspended()
        return FooDto(name)
    }
    data class FooDto(val name: String)
}

Expected behavior I would expect the PrePostAdviceReactiveMethodInterceptor to proceed to the next interceptor in the chain

Comment From: eleftherias

Thanks for reaching out @rolvraen. Do you have a minimal sample that reproduces this issue?

Comment From: rolvraen

@eleftherias Thanks for getting back to me. I've created a small sample that should illustrate the issue: https://github.com/rolvraen/spring-security-10252

Comment From: josteitv

@eleftherias I have rewritten the sample project from @rolvraen to three unit tests and added them to KotlinEnableReactiveMethodSecurityTests. Commit: https://github.com/josteitv/spring-security/commit/682febb5081cf2e432385e8d3d7a6242a8447b8a#diff-423840da1fb0e93966c9f924ac3774caa7f4c54fd7697a391a842208dd59ede8

The problem seems to be that suspend functions are called with CoroutinesUtils.invokeSuspendingFunction in PrePostAdviceReactiveMethodInterceptor, and this will break the chain of interceptors. When using Flow without suspend, everything works correct, because flowProceed handles the invocation chain correct.

Comment From: eleftherias

Thanks @rolvraen and @josteitv, I can see the issue. Are either of you interested in submitting a pull request to fix the issue?

Comment From: koenpunt

Are either of you interested in submitting a pull request to fix the issue?

Since there apparently isn't in interest in fixing it, is this going to be picked up by the Spring team?

Comment From: jzheaux

This was addressed in the Spring Framework in #22462. Please see this comment for context specific to Spring Security. The corresponding code in Spring Security was updated in https://github.com/spring-projects/spring-security/issues/12080 in the 6.2.0 release.

Since this is a specific issue addressed by #12080, I'll mark this as closed as of 6.2.0