SpringBoot WebFlux / Reactive Security - Traces not connected

When using WebFlux and Reactive Security the Micrometer traces are not connected (parent span missing). Especially traces created by the security filter are effected. Traces from the application itself are working fine.

Same setup using Web MV works perfectly as well.

This issue can be reproduced by a simple demo project. Is there any config missing?

Gradle dependencies

plugins {
    id 'java'
    id 'org.springframework.boot' version '3.0.1'
    id 'io.spring.dependency-management' version '1.1.0'
}

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-actuator'
    implementation 'org.springframework.boot:spring-boot-starter-security'
    implementation 'org.springframework.boot:spring-boot-starter-webflux'
    implementation 'io.micrometer:micrometer-tracing-bridge-otel'
    implementation 'io.projectreactor:reactor-core-micrometer'
    runtimeOnly 'io.micrometer:micrometer-registry-prometheus'
    runtimeOnly 'io.opentelemetry:opentelemetry-exporter-zipkin'
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
    testImplementation 'io.projectreactor:reactor-test'
    testImplementation 'org.springframework.security:spring-security-test'
}

Security config

@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {

    @Bean
    public MapReactiveUserDetailsService userDetailsService() {
        UserDetails user = User.withDefaultPasswordEncoder()
                .username("user")
                .password("user")
                .roles("USER")
                .build();
        return new MapReactiveUserDetailsService(user);
    }

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        http
                .authorizeExchange(exchanges -> exchanges
                        .anyExchange().authenticated()
                )
                .httpBasic(Customizer.withDefaults());
        return http.build();
    }
}

application.properties

management.endpoint.health.show-details=always
management.endpoints.web.exposure.include=health,info,prometheus
management.zipkin.tracing.endpoint=http://localhost:9411/api/v2/spans
management.tracing.sampling.probability=1.0

Comment From: wilkinsona

Duplicates https://github.com/spring-projects/spring-boot/issues/33495. @jzheaux is investigating on the Spring Security side.