2018-09-11 21:01:07 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								[[jc-webflux]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								= WebFlux Security
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Spring Security's WebFlux support relies on a `WebFilter` and works the same for Spring WebFlux and Spring WebFlux.Fn.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								You can find a few sample applications that demonstrate the code below:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-06-21 09:56:05 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								* Hello WebFlux {gh-samples-url}/reactive/webflux/java/hello-security[hellowebflux]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Hello WebFlux.Fn {gh-samples-url}/reactive/webflux-fn/hello-security[hellowebfluxfn]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								* Hello WebFlux Method {gh-samples-url}/reactive/webflux/java/method[hellowebflux-method]
							 
						 
					
						
							
								
									
										
										
										
											2018-09-11 21:01:07 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== Minimal WebFlux Security Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								You can find a minimal WebFlux Security configuration below:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-04-08 14:57:25 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								.Minimal WebFlux Security Configuration
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2020-04-08 14:57:25 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2018-09-11 21:01:07 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								-----
							 
						 
					
						
							
								
									
										
										
										
											2019-10-28 15:08:38 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-09-11 21:01:07 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								@EnableWebFluxSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								public class HelloWebfluxSecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									public MapReactiveUserDetailsService userDetailsService() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
										UserDetails user = User.withDefaultPasswordEncoder()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											.username("user")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											.password("user")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											.roles("USER")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											.build();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
										return new MapReactiveUserDetailsService(user);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								-----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2020-04-08 14:57:25 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								-----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								@EnableWebFluxSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								class HelloWebfluxSecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    fun userDetailsService(): ReactiveUserDetailsService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        val userDetails = User.withDefaultPasswordEncoder()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                .username("user")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                .password("user")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                .roles("USER")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                .build()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        return MapReactiveUserDetailsService(userDetails)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								-----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2020-04-08 14:57:25 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-09-11 21:01:07 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								This configuration provides form and http basic authentication, sets up authorization to require an authenticated user for accessing any page, sets up a default log in page and a default log out page, sets up security related HTTP headers, CSRF protection, and more.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								== Explicit WebFlux Security Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								You can find an explicit version of the minimal WebFlux Security configuration below:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-04-08 14:57:25 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								.Explicit WebFlux Security Configuration
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2020-04-08 14:57:25 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2018-09-11 21:01:07 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								-----
							 
						 
					
						
							
								
									
										
										
										
											2019-10-28 15:08:38 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								@Configuration
							 
						 
					
						
							
								
									
										
										
										
											2018-09-11 21:01:07 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								@EnableWebFluxSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								public class HelloWebfluxSecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									public MapReactiveUserDetailsService userDetailsService() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
										UserDetails user = User.withDefaultPasswordEncoder()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											.username("user")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											.password("user")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											.roles("USER")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											.build();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
										return new MapReactiveUserDetailsService(user);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									@Bean
							 
						 
					
						
							
								
									
										
										
										
											2019-07-24 12:15:32 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
									public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
							 
						 
					
						
							
								
									
										
										
										
											2018-09-11 21:01:07 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
										http
							 
						 
					
						
							
								
									
										
										
										
											2020-01-10 13:10:36 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
											.authorizeExchange(exchanges -> exchanges
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											    .anyExchange().authenticated()
							 
						 
					
						
							
								
									
										
										
										
											2019-07-22 09:31:10 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
											)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											.httpBasic(withDefaults())
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
											.formLogin(withDefaults());
							 
						 
					
						
							
								
									
										
										
										
											2018-09-11 21:01:07 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
										return http.build();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								-----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2020-04-08 14:57:25 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								-----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-26 15:56:47 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								import org.springframework.security.config.web.server.invoke
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-04-08 14:57:25 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								@Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								@EnableWebFluxSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								class HelloWebfluxSecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    fun userDetailsService(): ReactiveUserDetailsService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        val userDetails = User.withDefaultPasswordEncoder()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                .username("user")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                .password("user")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                .roles("USER")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                .build()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        return MapReactiveUserDetailsService(userDetails)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        return http {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            authorizeExchange {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                authorize(anyExchange, authenticated)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            formLogin { }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            httpBasic { }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								-----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2020-04-08 14:57:25 -04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-26 15:56:47 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Make sure that you import the `invoke` function in your Kotlin class, sometimes the IDE will not auto-import it causing compilation issues.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2018-09-11 21:01:07 -05:00 
										
									 
								 
							 
							
								
							 
							
								 
							
							
								This configuration explicitly sets up all the same things as our minimal configuration.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								From here you can easily make the changes to the defaults.
							 
						 
					
						
							
								
									
										
										
										
											2020-10-27 11:44:40 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-10-29 10:33:35 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								You can find more examples of explicit configuration in unit tests, by searching https://github.com/spring-projects/spring-security/search?q=path%3Aconfig%2Fsrc%2Ftest%2F+EnableWebFluxSecurity[EnableWebFluxSecurity in the `config/src/test/` directory].
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								[[jc-webflux-multiple-filter-chains]]
							 
						 
					
						
							
								
									
										
										
										
											2020-11-02 12:15:19 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								=== Multiple Chains Support
							 
						 
					
						
							
								
									
										
										
										
											2020-10-29 10:33:35 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-09-15 13:34:38 +04:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								You can configure multiple `SecurityWebFilterChain` instances to separate configuration by ``RequestMatcher``s.
							 
						 
					
						
							
								
									
										
										
										
											2020-10-29 10:33:35 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-11-02 12:15:19 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								For example, you can isolate configuration for URLs that start with `/api`, like so:
							 
						 
					
						
							
								
									
										
										
										
											2020-10-29 10:33:35 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-24 11:49:13 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2020-10-29 10:33:35 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2020-11-02 12:15:19 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								@Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								@EnableWebFluxSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								static class MultiSecurityHttpConfig {
							 
						 
					
						
							
								
									
										
										
										
											2020-10-29 10:33:35 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-11-02 12:15:19 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    @Order(Ordered.HIGHEST_PRECEDENCE)                                                      <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    SecurityWebFilterChain apiHttpSecurity(ServerHttpSecurity http) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        http
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            .securityMatcher(new PathPatternParserServerWebExchangeMatcher("/api/**"))      <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            .authorizeExchange((exchanges) -> exchanges
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                .anyExchange().authenticated()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            )
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            .oauth2ResourceServer(OAuth2ResourceServerSpec::jwt);                           <3>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        return http.build();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2020-10-29 10:33:35 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-11-02 12:15:19 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    SecurityWebFilterChain webHttpSecurity(ServerHttpSecurity http) {                       <4>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        http
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            .authorizeExchange((exchanges) -> exchanges
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                .anyExchange().authenticated()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            )
							 
						 
					
						
							
								
									
										
										
										
											2021-06-17 15:39:33 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								            .httpBasic(withDefaults());                                                     <5>
							 
						 
					
						
							
								
									
										
										
										
											2020-11-02 12:15:19 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								        return http.build();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    ReactiveUserDetailsService userDetailsService() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        return new MapReactiveUserDetailsService(
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                PasswordEncodedUser.user(), PasswordEncodedUser.admin());
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
									
										
										
										
											2020-10-29 10:33:35 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-24 11:49:13 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-26 15:56:47 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								import org.springframework.security.config.web.server.invoke
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-06-24 11:49:13 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								@Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								@EnableWebFluxSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								open class MultiSecurityHttpConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Order(Ordered.HIGHEST_PRECEDENCE)                                                      <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    open fun apiHttpSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        return http {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            securityMatcher(PathPatternParserServerWebExchangeMatcher("/api/**"))           <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            authorizeExchange {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                authorize(anyExchange, authenticated)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            oauth2ResourceServer {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                jwt { }                                                                     <3>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    open fun webHttpSecurity(http: ServerHttpSecurity): SecurityWebFilterChain {            <4>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        return http {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            authorizeExchange {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								                authorize(anyExchange, authenticated)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            httpBasic { }                                                                   <5>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    open fun userDetailsService(): ReactiveUserDetailsService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        return MapReactiveUserDetailsService(
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								            PasswordEncodedUser.user(), PasswordEncodedUser.admin()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								        )
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-06-24 11:49:13 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-11-02 12:15:19 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								<1> Configure a `SecurityWebFilterChain` with an `@Order` to specify which `SecurityWebFilterChain` Spring Security should consider first
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								<2> Use `PathPatternParserServerWebExchangeMatcher` to state that this `SecurityWebFilterChain` will only apply to URL paths that start with `/api/`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								<3> Specify the authentication mechanisms that will be used for `/api/**` endpoints
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								<4> Create another instance of `SecurityWebFilterChain` with lower precedence to match all other URLs
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								<5> Specify the authentication mechanisms that will be used for the rest of the application
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								Spring Security will select one `SecurityWebFilterChain` `@Bean` for each request.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								It will match the requests in order by the `securityMatcher` definition.
							 
						 
					
						
							
								
									
										
										
										
											2020-10-29 10:33:35 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2020-11-02 12:15:19 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
							
								In this case, that means that if the URL path starts with `/api`, then Spring Security will use `apiHttpSecurity`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
							
								If the URL does not start with `/api` then Spring Security will default to `webHttpSecurity`, which has an implied `securityMatcher` that matches any request.
							 
						 
					
						
							
								
									
										
										
										
											2020-10-27 11:44:40 +01:00