Update to Reactor 2025.0.0-SNAPSHOT

To prepare for the release we should update to Reactor
2025.0.0-SNAPSHOT to fix any issues that are present.

Closes gh-18041

core/src/main/java/org/springframework/security/authentication/ott/reactive/InMemoryReactiveOneTimeTokenService.java

@@ -43,6 +43,7 @@ public final class InMemoryReactiveOneTimeTokenService implements ReactiveOneTim
 	}
 
 	@Override
+	@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 	public Mono<OneTimeToken> consume(OneTimeTokenAuthenticationToken authenticationToken) {
 		return Mono.just(authenticationToken).mapNotNull(this.oneTimeTokenService::consume);
 	}

core/src/main/java/org/springframework/security/authorization/ObservationReactiveAuthorizationManager.java

@@ -58,9 +58,10 @@ public final class ObservationReactiveAuthorizationManager<T>
 	}
 
 	@Override
+	@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 	public Mono<AuthorizationResult> authorize(Mono<Authentication> authentication, T object) {
 		AuthorizationObservationContext<T> context = new AuthorizationObservationContext<>(object);
-		Mono<Authentication> wrapped = authentication.map((auth) -> {
+		Mono<Authentication> wrapped = authentication.mapNotNull((auth) -> {
 			context.setAuthentication(auth);
 			return context.getAuthentication();
 		});

core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisorProxyFactory.java

@@ -588,12 +588,14 @@ public final class AuthorizationAdvisorProxyFactory implements AuthorizationProx
 			return null;
 		}
 
+		@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 		private Mono<?> proxyMono(AuthorizationProxyFactory proxyFactory, Mono<?> mono) {
-			return mono.map(proxyFactory::proxy);
+			return mono.mapNotNull(proxyFactory::proxy);
 		}
 
+		@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 		private Flux<?> proxyFlux(AuthorizationProxyFactory proxyFactory, Flux<?> flux) {
-			return flux.map(proxyFactory::proxy);
+			return flux.mapNotNull(proxyFactory::proxy);
 		}
 
 	}

core/src/main/java/org/springframework/security/authorization/method/AuthorizationManagerAfterReactiveMethodInterceptor.java

@@ -120,6 +120,7 @@ public final class AuthorizationManagerAfterReactiveMethodInterceptor implements
 						+ "(for example, a Mono or Flux) or the function must be a Kotlin coroutine "
 						+ "in order to support Reactor Context");
 		Mono<Authentication> authentication = ReactiveAuthenticationUtils.getAuthentication();
+		@SuppressWarnings("NullAway") // Dataflow analysis limitation
 		Function<Signal<?>, Mono<?>> postAuthorize = (signal) -> {
 			if (signal.isOnComplete()) {
 				return Mono.empty();
@@ -130,12 +131,16 @@ public final class AuthorizationManagerAfterReactiveMethodInterceptor implements
 			if (signal.getThrowable() instanceof AuthorizationDeniedException denied) {
 				return postProcess(denied, mi);
 			}
+			// getThrowable must be non-null because hasError() is true
 			return Mono.error(signal.getThrowable());
 		};
 		ReactiveAdapter adapter = ReactiveAdapterRegistry.getSharedInstance().getAdapter(type);
 		if (hasFlowReturnType) {
 			if (isSuspendingFunction) {
 				Publisher<?> publisher = ReactiveMethodInvocationUtils.proceed(mi);
+				if (publisher == null) {
+					return Flux.empty();
+				}
 				return Flux.from(publisher).materialize().flatMap(postAuthorize);
 			}
 			else {
@@ -148,6 +153,9 @@ public final class AuthorizationManagerAfterReactiveMethodInterceptor implements
 			}
 		}
 		Publisher<?> publisher = ReactiveMethodInvocationUtils.proceed(mi);
+		if (publisher == null) {
+			return Flux.empty();
+		}
 		if (isMultiValue(type, adapter)) {
 			Flux<?> flux = Flux.from(publisher).materialize().flatMap(postAuthorize);
 			return (adapter != null) ? adapter.fromPublisher(flux) : flux;
@@ -173,7 +181,7 @@ public final class AuthorizationManagerAfterReactiveMethodInterceptor implements
 
 	private Mono<Object> postProcess(AuthorizationResult decision, MethodInvocationResult methodInvocationResult) {
 		if (decision.isGranted()) {
-			return Mono.just(methodInvocationResult.getResult());
+			return Mono.justOrEmpty(methodInvocationResult.getResult());
 		}
 		return Mono.fromSupplier(() -> {
 			if (this.authorizationManager instanceof MethodAuthorizationDeniedHandler handler) {

core/src/main/java/org/springframework/security/authorization/method/ReactiveAuthenticationUtils.java

@@ -35,9 +35,10 @@ final class ReactiveAuthenticationUtils {
 	private static final Authentication ANONYMOUS = new AnonymousAuthenticationToken("key", "anonymous",
 			AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
 
+	@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 	static Mono<Authentication> getAuthentication() {
 		return ReactiveSecurityContextHolder.getContext()
-			.map(SecurityContext::getAuthentication)
+			.mapNotNull(SecurityContext::getAuthentication)
 			.defaultIfEmpty(ANONYMOUS);
 	}
 

core/src/main/java/org/springframework/security/authorization/method/ReactiveMethodInvocationUtils.java

@@ -28,7 +28,7 @@ import reactor.core.Exceptions;
  */
 final class ReactiveMethodInvocationUtils {
 
-	static <T> @Nullable T proceed(MethodInvocation mi) {
+	static @Nullable <T> T proceed(MethodInvocation mi) {
 		try {
 			return (T) mi.proceed();
 		}

core/src/main/java/org/springframework/security/core/session/InMemoryReactiveSessionRegistry.java

@@ -50,9 +50,10 @@ public class InMemoryReactiveSessionRegistry implements ReactiveSessionRegistry
 	}
 
 	@Override
+	@SuppressWarnings("NullAway") // https://github.com/uber/NullAway/issues/1290
 	public Flux<ReactiveSessionInformation> getAllSessions(Object principal) {
 		return Flux.fromIterable(this.sessionIdsByPrincipal.getOrDefault(principal, Collections.emptySet()))
-			.map(this.sessionById::get);
+			.mapNotNull(this.sessionById::get);
 	}
 
 	@Override