Add WebFlux Redirect to HTTPS Reference

Fixes: gh-5869
2025-05-31 09:12:14 +00:00 · 2018-09-18 21:12:37 -05:00 · 2018-09-18 21:12:37 -05:00 · 501c008526
commit 501c008526
parent db9248e05a
4 changed files with 52 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@ -27,6 +27,7 @@ import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.function.Function;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
@ -1473,6 +1474,22 @@ public class ServerHttpSecurity {
 			return this;
 		}
 		/**
 		 * Configures when this filter should redirect to https
 		 *
 		 * By default, the filter will redirect whenever an exchange's scheme is not https
 		 *
 		 * @param when determines when to redirect to https
 		 * @return the {@link HttpsRedirectSpec} for additional configuration
 		 */
 		public HttpsRedirectSpec httpsRedirectWhen(
 				Function<ServerWebExchange, Boolean> when) {
 			ServerWebExchangeMatcher matcher = e -> when.apply(e) ?
 					ServerWebExchangeMatcher.MatchResult.match() :
 					ServerWebExchangeMatcher.MatchResult.notMatch();
 			return httpsRedirectWhen(matcher);
 		}
 		/**
 		 * Configures a custom HTTPS port to redirect to
 		 *
--- a/docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc
@ -31,7 +31,7 @@ Below are the highlights of the release.
 ** <<webflux-headers-csp,Content Security Policy>>
 ** <<webflux-headers-feature,Feature Policy>>
 ** <<webflux-headers-referrer,Referrer Policy>>
-* Support for redirecting to HTTPS
+* <<webflux-redirect-https,Redirect to HTTPS>>
 === Integrations
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc
@ -4,6 +4,8 @@ include::webflux.adoc[leveloffset=+1]
 include::headers.adoc[leveloffset=+1]
 include::redirect-https.adoc[leveloffset=+1]
 include::oauth2/index.adoc[leveloffset=+1]
 include::registered-oauth2-authorized-client.adoc[leveloffset=+1]
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/redirect-https.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/redirect-https.adoc
@ -0,0 +1,32 @@
 [[webflux-redirect-https]]
 = Redirect to HTTPS
 HTTPS is required to provide a secure application.
 Spring Security can be configured to perform a redirect to https using the following Java Configuration:
 [source,java]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	http
 		// ...
 		.redirectToHttps();
 	return http.build();
 }
 ----
 The configuration can easily be wrapped around an if statement to only be turned on in production.
 Alternatively, it can be enabled by looking for a property about the request that only happens in production.
 For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used:
 [source,java]
 ----
@Bean
 SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	http
 		// ...
 		.redirectToHttps()
 			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"));
 	return http.build();
 }
 ----