@Order(Ordered.HIGHEST_PRECEDENCE) @Bean public SecurityWebFilterChain apiHttpSecurity( ServerHttpSecurity http) { http.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/api/**")) .authorizeExchange().anyExchange().denyAll(); return http.build(); }
@Bean SecurityWebFilterChain authorization(ServerHttpSecurity http) throws Exception { // @formatter:off http .authorizeExchange() .anyExchange().denyAll() .and() .oauth2ResourceServer() .jwt() .publicKey(publicKey()); // @formatter:on return http.build(); } }
@Test public void antMatchersWhenMethodAndPatternsThenDiscriminatesByMethod() { this.http .csrf().disable() .authorizeExchange() .pathMatchers(HttpMethod.POST, "/a", "/b").denyAll() .anyExchange().permitAll(); WebTestClient client = buildClient(); client.get() .uri("/a") .exchange() .expectStatus().isOk(); client.get() .uri("/b") .exchange() .expectStatus().isOk(); client.post() .uri("/a") .exchange() .expectStatus().isUnauthorized(); client.post() .uri("/b") .exchange() .expectStatus().isUnauthorized(); }
@Test public void antMatchersWhenPatternsThenAnyMethod() { this.http .csrf().disable() .authorizeExchange() .pathMatchers("/a", "/b").denyAll() .anyExchange().permitAll(); WebTestClient client = buildClient(); client.get() .uri("/a") .exchange() .expectStatus().isUnauthorized(); client.get() .uri("/b") .exchange() .expectStatus().isUnauthorized(); client.post() .uri("/a") .exchange() .expectStatus().isUnauthorized(); client.post() .uri("/b") .exchange() .expectStatus().isUnauthorized(); }
@Test(expected = IllegalStateException.class) public void anyExchangeWhenFollowedByMatcherThenThrowsException() { this.http .authorizeExchange().anyExchange().denyAll() .pathMatchers("/never-reached"); }