APM + Webflux: @PreAuthorize returns always HTTP 403

Describe the bug

The combination of APM with Webflux and Spring Security leads to 403 errors in RestControllers, when using @PreAuthorize.

Steps to reproduce

Steps to reproduce the behavior:

1. Create a default elasticapm.properties config, where you do not disable the instrumentations for spring-webflux.
2. Create a @RestController and annotate a method with the following @PreAuthorize("hasAuthority('SCOPE_yourScope')") @GetMapping(produces = {APPLICATION_JSON_VALUE, APPLICATION_STREAM_JSON_VALUE}
3. Send a get request to the API and receive HTTP 403.
4. Disbale the Instrumentations for spring-webflux: disable_instrumentations=spring-webflux -> receive HTTP 200 from the API.

Bad workaround

A workaround would be to move the checks for hasAuthority from the methods in the RestControllers to a SecurityWebFilterChain Bean, which will be called long before the RestControllers. In the SecurityWebFilterChain you can use pathMatcher with hasAuthority.

Note: The disadvantage of this way is, that you can accidently forget to add pathMatchers for new methods. Your security and you rest APIs are somehow seperated.

Additional info

elasticApmVersion = “1.25.0” springBootVersion = “2.5.3” springSecurityVersion = “5.5.1” springCloudAwsVersion = “2.2.6.RELEASE” projectReactorVersion = “3.4.3”