Spring Security creates inconsistent spans for Actuator endpoints on management port in Spring MVC #18531
Description
Describe the bug
When a Spring Boot application is configured with a dedicated management port (management.server.port), HTTP requests to Actuator endpoints are not correctly traced (or not traced at all) when using Micrometer Tracing / OpenTelemetry.
This issue only occurs in a Servlet-based application using spring-web / Spring MVC.
The same configuration works correctly with Spring WebFlux, where actuator endpoints exposed on a dedicated management port are properly traced.
When Actuator runs on the same port as the main application (server.port), tracing works as expected in both cases.
This issue only affects Actuator endpoints exposed on the management port; regular application endpoints are traced correctly.
Both Spring Boot 3.5.9 and 4.0.1 contains the same issue.
To Reproduce
https://github.com/guerricm/demo-secu-observability/blob/main/README.md
Expected behavior
Actuator endpoints should be traced consistently, regardless of whether they are exposed on the main application port or on a dedicated management port, for both Spring MVC and Spring WebFlux applications.
Sample
https://github.com/guerricm/demo-secu-observability
--
A working Spring WebFlux version is available on the webflux branch:
https://github.com/guerricm/demo-secu-observability/blob/webflux/README.md