@Test public void authenticationSuccess() { SecurityWebFilterChain securityWebFilter = this.http .authorizeExchange() .anyExchange().authenticated() .and() .formLogin() .authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler("/custom")) .and() .build(); WebTestClient webTestClient = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); WebDriver driver = WebTestClientHtmlUnitDriverBuilder .webTestClientSetup(webTestClient) .build(); DefaultLoginPage loginPage = DefaultLoginPage.to(driver) .assertAt(); HomePage homePage = loginPage.loginForm() .username("user") .password("password") .submit(HomePage.class); assertThat(driver.getCurrentUrl()).endsWith("/custom"); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http.authorizeExchange() .anyExchange().permitAll() .and() .csrf().disable() .build(); } }
/** * Deny access for everyone * @return the {@link AuthorizeExchangeSpec} to configure */ public AuthorizeExchangeSpec denyAll() { return access( (a, e) -> Mono.just(new AuthorizationDecision(false))); }
/** * For Spring Security webflux, a chain of filters will provide user authentication * and authorization, we add custom filters to enable JWT token approach. * * @param http An initial object to build common filter scenarios. * Customized filters are added here. * @return SecurityWebFilterChain A filter chain for web exchanges that will * provide security **/ @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .authorizeExchange() .pathMatchers("/login", "/") .authenticated() .and() .addFilterAt(basicAuthenticationFilter(), SecurityWebFiltersOrder.HTTP_BASIC) .authorizeExchange() .pathMatchers("/api/**") .authenticated() .and() .addFilterAt(bearerAuthenticationFilter(), SecurityWebFiltersOrder.AUTHENTICATION); return http.build(); }
/** * The default {@link ServerHttpSecurity} configuration. * @param http * @return */ private SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .authorizeExchange() .anyExchange().authenticated(); if (isOAuth2Present && OAuth2ClasspathGuard.shouldConfigure(this.context)) { OAuth2ClasspathGuard.configure(this.context, http); } else { http .httpBasic().and() .formLogin(); } SecurityWebFilterChain result = http.build(); return result; }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { //@formatter:off return http .csrf().disable() .httpBasic().securityContextRepository(new WebSessionServerSecurityContextRepository()) .and() .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") .pathMatchers("/posts/**").authenticated() .pathMatchers("/auth/**").authenticated() .pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().permitAll() .and() .build(); //@formatter:on }
@Bean SecurityWebFilterChain springSecurityFilterChain(final ServerHttpSecurity http) { http .authorizeExchange() .pathMatchers("/favicon.ico", "/css/**", "/webjars/**") .permitAll() .anyExchange() .authenticated() .and() .httpBasic() .and() .formLogin() .and() .logout() ; return http.build(); }
@Bean public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity httpSecurity) { httpSecurity .authorizeExchange() .anyExchange() .authenticated() .and().oauth2Login() .and() .oauth2ResourceServer() .jwt(); return httpSecurity.build(); } }
/** * Require an authenticated user * @return the {@link AuthorizeExchangeSpec} to configure */ public AuthorizeExchangeSpec authenticated() { return access(AuthenticatedReactiveAuthorizationManager.authenticated()); }
/** * Require a specific authority. * @param authority the authority to require (i.e. "USER" woudl require authority of "USER"). * @return the {@link AuthorizeExchangeSpec} to configure */ public AuthorizeExchangeSpec hasAuthority(String authority) { return access(AuthorityReactiveAuthorizationManager.hasAuthority(authority)); }
/** * Deny access for everyone * @return the {@link AuthorizeExchangeSpec} to configure */ public AuthorizeExchangeSpec denyAll() { return access( (a, e) -> Mono.just(new AuthorizationDecision(false))); }
/** * Allow access for anyone * @return the {@link AuthorizeExchangeSpec} to configure */ public AuthorizeExchangeSpec permitAll() { return access( (a, e) -> Mono.just(new AuthorizationDecision(true))); }
@Bean SecurityWebFilterChain authorization(ServerHttpSecurity http) { http.httpBasic(); http.csrf().disable(); http .authorizeExchange() .pathMatchers("/proxy").authenticated() .anyExchange().permitAll(); return http.build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http.httpBasic().and() .csrf().disable() .authorizeExchange() .pathMatchers("/anything/**").authenticated() .anyExchange().permitAll() .and() .build(); }
@Bean public SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { http.csrf().disable(); http.authorizeExchange() .pathMatchers("/webjars/**", "/actuator/**").permitAll() .anyExchange().authenticated() .and().httpBasic(); return http.build(); }
@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.authorizeExchange() .matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)) .permitAll().anyExchange().authenticated().and().httpBasic().and() .formLogin().and().build(); }
/** * Override this to configure authorization */ protected void authorizeExchange(ServerHttpSecurity http) { http.authorizeExchange() .anyExchange().permitAll(); }
@Bean public SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception { return http.authorizeExchange() .pathMatchers("/about").permitAll() .anyExchange().authenticated() .and().oauth2Login() .and().build(); } }
@Bean public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { return http.securityMatcher(EndpointRequest.toAnyEndpoint()) .authorizeExchange() .anyExchange() .hasRole("ENDPOINT_ADMIN") .and().httpBasic() .and().build(); }
/** * Require a specific role. This is a shorcut for {@link #hasAuthority(String)} * @param role the role (i.e. "USER" would require "ROLE_USER") * @return the {@link AuthorizeExchangeSpec} to configure */ public AuthorizeExchangeSpec hasRole(String role) { return access(AuthorityReactiveAuthorizationManager.hasRole(role)); }