public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { log.info("Configuring SecurityWebFilterChain ..."); formLogin(http); // Configure form login authorizeExchange(http); // configure authorization oauth2Login(http); // configure OAuth2 login return http .securityContextRepository(NoOpServerSecurityContextRepository.getInstance()) .exceptionHandling() .accessDeniedHandler(accessDeniedHandler()) .authenticationEntryPoint(authenticationEntryPoint()) .and() .cors() .and() .csrf().disable() .addFilterAt(tokenAuthenticationFilter(), SecurityWebFiltersOrder.AUTHENTICATION) .logout().disable() .build(); }
@Test public void customAccessDeniedHandler() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .httpBasic().and() .authorizeExchange() .anyExchange().hasRole("ADMIN") .and() .exceptionHandling() .accessDeniedHandler(httpStatusServerAccessDeniedHandler(HttpStatus.BAD_REQUEST)) .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/admin") .headers(headers -> headers.setBasicAuth("user", "password")) .exchange() .expectStatus().isBadRequest(); }