Add WebFlux Redirect to HTTPS Reference

Fixes: gh-5869
2018-09-18 21:12:37 -05:00 · 2018-09-18 21:12:37 -05:00 · 501c008526
parent db9248e05a
commit 501c008526
4 changed files with 52 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@ -27,6 +27,7 @@ import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Function;

 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
@ -1473,6 +1474,22 @@ public class ServerHttpSecurity {
 			return this;
 		}

+		/**
+		 * Configures when this filter should redirect to https
+		 *
+		 * By default, the filter will redirect whenever an exchange's scheme is not https
+		 *
+		 * @param when determines when to redirect to https
+		 * @return the {@link HttpsRedirectSpec} for additional configuration
+		 */
+		public HttpsRedirectSpec httpsRedirectWhen(
+				Function<ServerWebExchange, Boolean> when) {
+			ServerWebExchangeMatcher matcher = e -> when.apply(e) ?
+					ServerWebExchangeMatcher.MatchResult.match() :
+					ServerWebExchangeMatcher.MatchResult.notMatch();
+			return httpsRedirectWhen(matcher);
+		}
+
 		/**
 		 * Configures a custom HTTPS port to redirect to
 		 *
--- a/docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc
@ -31,7 +31,7 @@ Below are the highlights of the release.
 ** <<webflux-headers-csp,Content Security Policy>>
 ** <<webflux-headers-feature,Feature Policy>>
 ** <<webflux-headers-referrer,Referrer Policy>>
-* Support for redirecting to HTTPS
+* <<webflux-redirect-https,Redirect to HTTPS>>

 === Integrations

--- a/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc
@ -4,6 +4,8 @@ include::webflux.adoc[leveloffset=+1]

 include::headers.adoc[leveloffset=+1]

+include::redirect-https.adoc[leveloffset=+1]
+
 include::oauth2/index.adoc[leveloffset=+1]

 include::registered-oauth2-authorized-client.adoc[leveloffset=+1]
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/redirect-https.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/redirect-https.adoc
@ -0,0 +1,32 @@
+[[webflux-redirect-https]]
+= Redirect to HTTPS
+
+HTTPS is required to provide a secure application.
+Spring Security can be configured to perform a redirect to https using the following Java Configuration:
+
+[source,java]
+----
+@Bean
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+	http
+		// ...
+		.redirectToHttps();
+	return http.build();
+}
+----
+
+The configuration can easily be wrapped around an if statement to only be turned on in production.
+Alternatively, it can be enabled by looking for a property about the request that only happens in production.
+For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used:
+
+[source,java]
+----
+@Bean
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+	http
+		// ...
+		.redirectToHttps()
+			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"));
+	return http.build();
+}
+----