public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { log.info("Configuring SecurityWebFilterChain ..."); formLogin(http); // Configure form login authorizeExchange(http); // configure authorization oauth2Login(http); // configure OAuth2 login return http .securityContextRepository(NoOpServerSecurityContextRepository.getInstance()) .exceptionHandling() .accessDeniedHandler(accessDeniedHandler()) .authenticationEntryPoint(authenticationEntryPoint()) .and() .cors() .and() .csrf().disable() .addFilterAt(tokenAuthenticationFilter(), SecurityWebFiltersOrder.AUTHENTICATION) .logout().disable() .build(); }
/** * Configures exception handling (i.e. handles when authentication is requested). An example configuration can * be found below: * * <pre class="code"> * @Bean * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { * http * // ... * .exceptionHandling() * // customize how to request for authentication * .authenticationEntryPoint(entryPoint); * return http.build(); * } * </pre> * * @return the {@link ExceptionHandlingSpec} to customize */ public ExceptionHandlingSpec exceptionHandling() { if (this.exceptionHandling == null) { this.exceptionHandling = new ExceptionHandlingSpec(); } return this.exceptionHandling; }
/** * Configures exception handling (i.e. handles when authentication is requested). An example configuration can * be found below: * * <pre class="code"> * @Bean * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { * http * // ... * .exceptionHandling() * // customize how to request for authentication * .authenticationEntryPoint(entryPoint); * return http.build(); * } * </pre> * * @return the {@link ExceptionHandlingSpec} to customize */ public ExceptionHandlingSpec exceptionHandling() { if (this.exceptionHandling == null) { this.exceptionHandling = new ExceptionHandlingSpec(); } return this.exceptionHandling; }
/** * Configures exception handling (i.e. handles when authentication is requested). An example configuration can * be found below: * * <pre class="code"> * @Bean * public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { * http * // ... * .exceptionHandling() * // customize how to request for authentication * .authenticationEntryPoint(entryPoint); * return http.build(); * } * </pre> * * @return the {@link ExceptionHandlingSpec} to customize */ public ExceptionHandlingSpec exceptionHandling() { if (this.exceptionHandling == null) { this.exceptionHandling = new ExceptionHandlingSpec(); } return this.exceptionHandling; }
@Test public void defaultAccessDeniedHandler() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .httpBasic().and() .authorizeExchange() .anyExchange().hasRole("ADMIN") .and() .exceptionHandling() .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/admin") .headers(headers -> headers.setBasicAuth("user", "password")) .exchange() .expectStatus().isForbidden(); }
@Test public void customAccessDeniedHandler() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .httpBasic().and() .authorizeExchange() .anyExchange().hasRole("ADMIN") .and() .exceptionHandling() .accessDeniedHandler(httpStatusServerAccessDeniedHandler(HttpStatus.BAD_REQUEST)) .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/admin") .headers(headers -> headers.setBasicAuth("user", "password")) .exchange() .expectStatus().isBadRequest(); }
@Test public void customAuthenticationEntryPoint() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .authorizeExchange() .anyExchange().authenticated() .and() .exceptionHandling() .authenticationEntryPoint(redirectServerAuthenticationEntryPoint("/auth")) .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/test") .exchange() .expectStatus().isFound() .expectHeader().valueMatches("Location", ".*"); }
@Test public void defaultAuthenticationEntryPoint() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .authorizeExchange() .anyExchange().authenticated() .and() .exceptionHandling() .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/test") .exchange() .expectStatus().isUnauthorized() .expectHeader().valueMatches("WWW-Authenticate", "Basic.*"); }