@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) { return http.httpBasic().and() .authorizeExchange() .pathMatchers("/myapi/**").authenticated() .anyExchange().permitAll() .and() .build(); }
@Bean SecurityWebFilterChain springSecurity(ServerHttpSecurity http) throws Exception { // @formatter:off http .authorizeExchange() .pathMatchers("/authenticated").authenticated() .pathMatchers("/unobtainable").hasAuthority("unobtainable") .and() .oauth2ResourceServer() .accessDeniedHandler(new HttpStatusServerAccessDeniedHandler(HttpStatus.BANDWIDTH_LIMIT_EXCEEDED)) .authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.I_AM_A_TEAPOT)) .jwt() .publicKey(publicKey()); // @formatter:on return http.build(); } }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() //.pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN")//replace this with method level constraints //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") .pathMatchers("/posts/**").authenticated() //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().permitAll() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().authenticated() .and() .build(); }
@Test public void customLoginPage() { SecurityWebFilterChain securityWebFilter = this.http .authorizeExchange() .pathMatchers("/login").permitAll() .anyExchange().authenticated() .and() .formLogin() .loginPage("/login") .and() .build(); WebTestClient webTestClient = WebTestClient .bindToController(new CustomLoginPageController(), new WebTestClientBuilder.Http200RestController()) .webFilter(new WebFilterChainProxy(securityWebFilter)) .build(); WebDriver driver = WebTestClientHtmlUnitDriverBuilder .webTestClientSetup(webTestClient) .build(); CustomLoginPage loginPage = HomePage.to(driver, CustomLoginPage.class) .assertAt(); HomePage homePage = loginPage.loginForm() .username("user") .password("password") .submit(HomePage.class); homePage.assertAt(); }
@Test public void antMatchersWhenPatternsThenAnyMethod() { this.http .csrf().disable() .authorizeExchange() .pathMatchers("/a", "/b").denyAll() .anyExchange().permitAll(); WebTestClient client = buildClient(); client.get() .uri("/a") .exchange() .expectStatus().isUnauthorized(); client.get() .uri("/b") .exchange() .expectStatus().isUnauthorized(); client.post() .uri("/a") .exchange() .expectStatus().isUnauthorized(); client.post() .uri("/b") .exchange() .expectStatus().isUnauthorized(); }
@Test public void antMatchersWhenMethodAndPatternsThenDiscriminatesByMethod() { this.http .csrf().disable() .authorizeExchange() .pathMatchers(HttpMethod.POST, "/a", "/b").denyAll() .anyExchange().permitAll(); WebTestClient client = buildClient(); client.get() .uri("/a") .exchange() .expectStatus().isOk(); client.get() .uri("/b") .exchange() .expectStatus().isOk(); client.post() .uri("/a") .exchange() .expectStatus().isUnauthorized(); client.post() .uri("/b") .exchange() .expectStatus().isUnauthorized(); }
@Test(expected = IllegalStateException.class) public void antMatchersWhenNoAccessAndAnotherMatcherThenThrowsException() { this.http .authorizeExchange() .pathMatchers("/incomplete"); this.http .authorizeExchange() .pathMatchers("/throws-exception"); }
@Test(expected = IllegalStateException.class) public void buildWhenMatcherDefinedWithNoAccessThenThrowsException() { this.http .authorizeExchange() .pathMatchers("/incomplete"); this.http.build(); }
@Test(expected = IllegalStateException.class) public void anyExchangeWhenFollowedByMatcherThenThrowsException() { this.http .authorizeExchange().anyExchange().denyAll() .pathMatchers("/never-reached"); }