Update to Reactor 2025.0.0-SNAPSHOT

To prepare for the release we should update to Reactor
2025.0.0-SNAPSHOT to fix any issues that are present.

Closes gh-18041

Author: rwinch

core/src/main/java/org/springframework/security/authentication/ott/reactive/InMemoryReactiveOneTimeTokenService.java

@@ -43,6 +43,7 @@ public Mono<OneTimeToken> generate(GenerateOneTimeTokenRequest request) {
 	}
 
 	@Override
+	@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 	public Mono<OneTimeToken> consume(OneTimeTokenAuthenticationToken authenticationToken) {
 		return Mono.just(authenticationToken).mapNotNull(this.oneTimeTokenService::consume);
 	}

core/src/main/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManager.java

@@ -58,9 +58,10 @@ public ObservationReactiveAuthorizationManager(ObservationRegistry registry,
 	}
 
 	@Override
+	@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 	public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object) {
 		AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object);
-		Mono<Authentication> wrapped = authentication.map((auth) -> {
+		Mono<Authentication> wrapped = authentication.mapNotNull((auth) -> {
 			context.setAuthentication(auth);
 			return context.getAuthentication();
 		});

core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisorProxyFactory.java

@@ -588,12 +588,14 @@ private static class ReactiveTypeVisitor implements TargetVisitor {
 			return null;
 		}
 
+		@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 		private Mono<?> proxyMono(AuthorizationProxyFactory proxyFactory, Mono<?> mono) {
-			return mono.map(proxyFactory::proxy);
+			return mono.mapNotNull(proxyFactory::proxy);
 		}
 
+		@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 		private Flux<?> proxyFlux(AuthorizationProxyFactory proxyFactory, Flux<?> flux) {
-			return flux.map(proxyFactory::proxy);
+			return flux.mapNotNull(proxyFactory::proxy);
 		}
 
 	}

core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.java

@@ -120,6 +120,7 @@ public Object invoke(MethodInvocation mi) throws Throwable {
 						+ "(for example, a Mono or Flux) or the function must be a Kotlin coroutine "
 						+ "in order to support Reactor Context");
 		Mono<Authentication> authentication = ReactiveAuthenticationUtils.getAuthentication();
+		@SuppressWarnings("NullAway") // Dataflow analysis limitation
 		Function<Signal<?>, Mono<?>> postAuthorize = (signal) -> {
 			if (signal.isOnComplete()) {
 				return Mono.empty();
@@ -130,12 +131,16 @@ public Object invoke(MethodInvocation mi) throws Throwable {
 			if (signal.getThrowable() instanceof AuthorizationDeniedException denied) {
 				return postProcess(denied, mi);
 			}
+			// getThrowable must be non-null because hasError() is true
 			return Mono.error(signal.getThrowable());
 		};
 		ReactiveAdapter adapter = ReactiveAdapterRegistry.getSharedInstance().getAdapter(type);
 		if (hasFlowReturnType) {
 			if (isSuspendingFunction) {
 				Publisher<?> publisher = ReactiveMethodInvocationUtils.proceed(mi);
+				if (publisher == null) {
+					return Flux.empty();
+				}
 				return Flux.from(publisher).materialize().flatMap(postAuthorize);
 			}
 			else {
@@ -148,6 +153,9 @@ public Object invoke(MethodInvocation mi) throws Throwable {
 			}
 		}
 		Publisher<?> publisher = ReactiveMethodInvocationUtils.proceed(mi);
+		if (publisher == null) {
+			return Flux.empty();
+		}
 		if (isMultiValue(type, adapter)) {
 			Flux<?> flux = Flux.from(publisher).materialize().flatMap(postAuthorize);
 			return (adapter != null) ? adapter.fromPublisher(flux) : flux;
@@ -173,7 +181,7 @@ private Mono<Object> postAuthorize(Mono<Authentication> authentication, MethodIn
 
 	private Mono<Object> postProcess(AuthorizationResult decision, MethodInvocationResult methodInvocationResult) {
 		if (decision.isGranted()) {
-			return Mono.just(methodInvocationResult.getResult());
+			return Mono.justOrEmpty(methodInvocationResult.getResult());
 		}
 		return Mono.fromSupplier(() -> {
 			if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler handler) {

core/src/main/java/org/springframework/security/authorization/method/ReactiveAuthenticationUtils.java

@@ -35,9 +35,10 @@ final class ReactiveAuthenticationUtils {
 	private static final Authentication ANONYMOUS = new AnonymousAuthenticationToken("key", "anonymous",
 			AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
 
+	@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 	static Mono<Authentication> getAuthentication() {
 		return ReactiveSecurityContextHolder.getContext()
-			.map(SecurityContext::getAuthentication)
+			.mapNotNull(SecurityContext::getAuthentication)
 			.defaultIfEmpty(ANONYMOUS);
 	}
 

core/src/main/java/org/springframework/security/authorization/method/ReactiveMethodInvocationUtils.java

@@ -28,7 +28,7 @@
  */
 final class ReactiveMethodInvocationUtils {
 
-	static <T> @Nullable T proceed(MethodInvocation mi) {
+	static @Nullable <T> T proceed(MethodInvocation mi) {
 		try {
 			return (T) mi.proceed();
 		}

core/src/main/java/org/springframework/security/core/session/InMemoryReactiveSessionRegistry.java

@@ -50,9 +50,10 @@ public InMemoryReactiveSessionRegistry(ConcurrentMap<Object, Set<String>> sessio
 	}
 
 	@Override
+	@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 	public Flux<ReactiveSessionInformation> getAllSessions(Object principal) {
 		return Flux.fromIterable(this.sessionIdsByPrincipal.getOrDefault(principal, Collections.emptySet()))
-			.map(this.sessionById::get);
+			.mapNotNull(this.sessionById::get);
 	}
 
 	@Override

gradle/libs.versions.toml

@@ -30,7 +30,7 @@ commons-collections = "commons-collections:commons-collections:3.2.2"
 io-micrometer-context-propagation = "io.micrometer:context-propagation:1.1.3"
 io-micrometer-micrometer-observation = "io.micrometer:micrometer-observation:1.14.11"
 io-mockk = "io.mockk:mockk:1.14.6"
-io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2025.0.0-M7"
+io-projectreactor-reactor-bom = "io.projectreactor:reactor-bom:2025.0.0-SNAPSHOT"
 io-rsocket-rsocket-bom = { module = "io.rsocket:rsocket-bom", version.ref = "io-rsocket" }
 io-spring-javaformat-spring-javaformat-checkstyle = { module = "io.spring.javaformat:spring-javaformat-checkstyle", version.ref = "io-spring-javaformat" }
 io-spring-javaformat-spring-javaformat-gradle-plugin = { module = "io.spring.javaformat:spring-javaformat-gradle-plugin", version.ref = "io-spring-javaformat" }

messaging/src/main/java/org/springframework/security/messaging/handler/invocation/reactive/AuthenticationPrincipalArgumentResolver.java

@@ -138,11 +138,12 @@ public boolean supportsParameter(MethodParameter parameter) {
 	}
 
 	@Override
+	@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 	public Mono<Object> resolveArgument(MethodParameter parameter, Message<?> message) {
 		ReactiveAdapter adapter = this.adapterRegistry.getAdapter(parameter.getParameterType());
 		// @formatter:off
 		return ReactiveSecurityContextHolder.getContext()
-				.map(SecurityContext::getAuthentication)
+				.mapNotNull(SecurityContext::getAuthentication)
 				.flatMap((a) -> {
 					Object p = resolvePrincipal(parameter, a.getPrincipal());
 					Mono<Object> principal = Mono.justOrEmpty(p);

rsocket/src/main/java/org/springframework/security/rsocket/authorization/AuthorizationPayloadInterceptor.java

@@ -55,10 +55,10 @@ public void setOrder(int order) {
 	}
 
 	@Override
+	@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 	public Mono<Void> intercept(PayloadExchange exchange, PayloadInterceptorChain chain) {
 		return ReactiveSecurityContextHolder.getContext()
-			.filter((c) -> c.getAuthentication() != null)
-			.map(SecurityContext::getAuthentication)
+			.mapNotNull(SecurityContext::getAuthentication)
 			.switchIfEmpty(Mono.error(() -> new AuthenticationCredentialsNotFoundException(
 					"An Authentication (possibly AnonymousAuthenticationToken) is required.")))
 			.as((authentication) -> this.authorizationManager.verify(authentication, exchange))