diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc index ac75a121fd..b88e1af864 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc @@ -125,5 +125,60 @@ class HelloWebfluxSecurityConfig { This configuration explicitly sets up all the same things as our minimal configuration. From here you can easily make the changes to the defaults. -You can find more examples of explicit configuration in unit tests, by searching https://github.com/spring-projects/spring-security/search?q=path%3Aconfig%2Fsrc%2Ftest%2F+EnableWebFluxSecurity[EnableWebFluxSecurity in the `config/src/test/` directory], e.g. https://github.com/spring-projects/spring-security/blob/9cf3129d7afa2abb439aba6aadfee0a2c8c784bf/config/src/test/java/org/springframework/security/config/annotation/web/reactive/EnableWebFluxSecurityTests.java#L349-L366[MultiSecurityHttpConfig] illustrating multiple `SecurityWebFilterChain` beans. +You can find more examples of explicit configuration in unit tests, by searching https://github.com/spring-projects/spring-security/search?q=path%3Aconfig%2Fsrc%2Ftest%2F+EnableWebFluxSecurity[EnableWebFluxSecurity in the `config/src/test/` directory]. + +[[jc-webflux-multiple-filter-chains]] +=== Multiple chains support + +We can configure multiple `SecurityWebFilterChain` instances. + +For example, the following is an example of having a specific configuration for URL's that start with `/api/`. This overrides the form login configuration with lower precedence. + +[source,java] +---- + @EnableWebFluxSecurity + @Import(ReactiveAuthenticationTestConfiguration.class) + static class MultiSecurityHttpConfig { + + @Order(Ordered.HIGHEST_PRECEDENCE) <1> + @Bean + SecurityWebFilterChain apiHttpSecurity(ServerHttpSecurity http) { + http + .securityMatcher(new PathPatternParserServerWebExchangeMatcher("/api/**")) <2> + .authorizeExchange() + .anyExchange().denyAll(); + return http.build(); + } + + @Bean + SecurityWebFilterChain webFormHttpSecurity(ServerHttpSecurity http) { <3> + http + .authorizeExchange((exchanges) -> + exchanges + .pathMatchers("/login").permitAll() + .anyExchange().authenticated() + ) + .httpBasic(withDefaults()) + .formLogin((formLogin) -> <4> + formLogin + .loginPage("/login") + ); + return http.build(); + } + + @Bean + public static ReactiveUserDetailsService userDetailsService() { + return new MapReactiveUserDetailsService(PasswordEncodedUser.user(), PasswordEncodedUser.admin()); + } + + } + +---- + +<1> Configure a SecurityWebFilterChain with an `@Order` to specify which `SecurityWebFilterChain` should be considered first +<2> The `PathPatternParserServerWebExchangeMatcher` states that this `SecurityWebFilterChain` will only be applicable to URLs that start with `/api/` +<3> Create another instance of `SecurityWebFilterChain` with lower precedence. +<4> Some configurations applies to all path matchers within the `webFormHttpSecurity` but not to `apiHttpSecurity` `SecurityWebFilterChain`. + +If the URL does not start with `/api/` the `webFormHttpSecurity` configuration will be used.