@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http.authorizeExchange() .anyExchange().permitAll() .and() .csrf().disable() .build(); } }
this.csrf.configure(this);
@Test public void csrfServerLogoutHandlerAppliedIfCsrfIsEnabled() { SecurityWebFilterChain securityWebFilterChain = this.http.csrf().csrfTokenRepository(this.csrfTokenRepository).and().build(); assertThat(getWebFilter(securityWebFilterChain, CsrfWebFilter.class)) .get() .extracting(csrfWebFilter -> ReflectionTestUtils.getField(csrfWebFilter, "csrfTokenRepository")) .isEqualTo(this.csrfTokenRepository); Optional<ServerLogoutHandler> logoutHandler = getWebFilter(securityWebFilterChain, LogoutWebFilter.class) .map(logoutWebFilter -> (ServerLogoutHandler) ReflectionTestUtils.getField(logoutWebFilter, LogoutWebFilter.class, "logoutHandler")); assertThat(logoutHandler) .get() .isExactlyInstanceOf(DelegatingServerLogoutHandler.class) .extracting(delegatingLogoutHandler -> ((List<ServerLogoutHandler>) ReflectionTestUtils.getField(delegatingLogoutHandler, DelegatingServerLogoutHandler.class, "delegates")).stream() .map(ServerLogoutHandler::getClass) .collect(Collectors.toList())) .isEqualTo(Arrays.asList(SecurityContextServerLogoutHandler.class, CsrfServerLogoutHandler.class)); }
this.csrf.configure(this);
this.csrf = new CsrfSpec();
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { //@formatter:off return http .csrf().disable() .httpBasic().securityContextRepository(new WebSessionServerSecurityContextRepository()) .and() .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") .pathMatchers("/posts/**").authenticated() .pathMatchers("/auth/**").authenticated() .pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().permitAll() .and() .build(); //@formatter:on }
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { log.info("Configuring SecurityWebFilterChain ..."); formLogin(http); // Configure form login authorizeExchange(http); // configure authorization oauth2Login(http); // configure OAuth2 login return http .securityContextRepository(NoOpServerSecurityContextRepository.getInstance()) .exceptionHandling() .accessDeniedHandler(accessDeniedHandler()) .authenticationEntryPoint(authenticationEntryPoint()) .and() .cors() .and() .csrf().disable() .addFilterAt(tokenAuthenticationFilter(), SecurityWebFiltersOrder.AUTHENTICATION) .logout().disable() .build(); }
@Bean SecurityWebFilterChain authorization(ServerHttpSecurity http) { http.httpBasic(); http.csrf().disable(); http .authorizeExchange() .pathMatchers("/proxy").authenticated() .anyExchange().permitAll(); return http.build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http.httpBasic().and() .csrf().disable() .authorizeExchange() .pathMatchers("/anything/**").authenticated() .anyExchange().permitAll() .and() .build(); }
@Bean public SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { http.csrf().disable(); http.authorizeExchange() .pathMatchers("/webjars/**", "/actuator/**").permitAll() .anyExchange().authenticated() .and().httpBasic(); return http.build(); }
private void registerDefaultCsrfOverride(ServerHttpSecurity http) { if ( http.csrf != null && !http.csrf.specifiedRequireCsrfProtectionMatcher ) { http .csrf() .requireCsrfProtectionMatcher( new AndServerWebExchangeMatcher( CsrfWebFilter.DEFAULT_CSRF_MATCHER, new NegatedServerWebExchangeMatcher( this.bearerTokenServerWebExchangeMatcher))); } }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") .pathMatchers("/posts/**").authenticated() //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().permitAll() .and() .csrf().disable() .build(); }
this.csrf.configure(this);
this.csrf = new CsrfSpec();
private void registerDefaultCsrfOverride(ServerHttpSecurity http) { if ( http.csrf != null && !http.csrf.specifiedRequireCsrfProtectionMatcher ) { http .csrf() .requireCsrfProtectionMatcher( new AndServerWebExchangeMatcher( CsrfWebFilter.DEFAULT_CSRF_MATCHER, new NegatedServerWebExchangeMatcher( this.bearerTokenServerWebExchangeMatcher))); } }
@Bean public SecurityWebFilterChain reactiveSpringSecurityFilterChain(ServerHttpSecurity http) { return http.authorizeExchange() .anyExchange().hasRole("ADMIN") .and() .httpBasic() .and() .csrf().disable() .build(); }
this.csrf = new CsrfSpec();
@Test public void antMatchersWhenMethodAndPatternsThenDiscriminatesByMethod() { this.http .csrf().disable() .authorizeExchange() .pathMatchers(HttpMethod.POST, "/a", "/b").denyAll() .anyExchange().permitAll(); WebTestClient client = buildClient(); client.get() .uri("/a") .exchange() .expectStatus().isOk(); client.get() .uri("/b") .exchange() .expectStatus().isOk(); client.post() .uri("/a") .exchange() .expectStatus().isUnauthorized(); client.post() .uri("/b") .exchange() .expectStatus().isUnauthorized(); }
@Test public void antMatchersWhenPatternsThenAnyMethod() { this.http .csrf().disable() .authorizeExchange() .pathMatchers("/a", "/b").denyAll() .anyExchange().permitAll(); WebTestClient client = buildClient(); client.get() .uri("/a") .exchange() .expectStatus().isUnauthorized(); client.get() .uri("/b") .exchange() .expectStatus().isUnauthorized(); client.post() .uri("/a") .exchange() .expectStatus().isUnauthorized(); client.post() .uri("/b") .exchange() .expectStatus().isUnauthorized(); }
@Test public void customAccessDeniedHandler() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .httpBasic().and() .authorizeExchange() .anyExchange().hasRole("ADMIN") .and() .exceptionHandling() .accessDeniedHandler(httpStatusServerAccessDeniedHandler(HttpStatus.BAD_REQUEST)) .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/admin") .headers(headers -> headers.setBasicAuth("user", "password")) .exchange() .expectStatus().isBadRequest(); }