@Test public void basicWithAnonymous() { given(this.authenticationManager.authenticate(any())).willReturn(Mono.just(new TestingAuthenticationToken("rob", "rob", "ROLE_USER", "ROLE_ADMIN"))); this.http.securityContextRepository(new WebSessionServerSecurityContextRepository()); this.http.httpBasic().and().anonymous(); this.http.authenticationManager(this.authenticationManager); ServerHttpSecurity.AuthorizeExchangeSpec authorize = this.http.authorizeExchange(); authorize.anyExchange().hasAuthority("ROLE_ADMIN"); WebTestClient client = buildClient(); EntityExchangeResult<String> result = client.get() .uri("/") .headers(headers -> headers.setBasicAuth("rob", "rob")) .exchange() .expectStatus().isOk() .expectHeader().valueMatches(HttpHeaders.CACHE_CONTROL, ".+") .expectBody(String.class).consumeWith(b -> assertThat(b.getResponseBody()).isEqualTo("ok")) .returnResult(); assertThat(result.getResponseCookies().getFirst("SESSION")).isNull(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) { return http.httpBasic().and() .authorizeExchange() .pathMatchers("/myapi/**").authenticated() .anyExchange().permitAll() .and() .build(); }
@Bean public SecurityWebFilterChain reactiveSpringSecurityFilterChain(ServerHttpSecurity http) { return http.authorizeExchange() .anyExchange().hasRole("ADMIN") .and() .httpBasic() .and() .csrf().disable() .build(); }
/** * The default {@link ServerHttpSecurity} configuration. * @param http * @return */ private SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .authorizeExchange() .anyExchange().authenticated(); if (isOAuth2Present && OAuth2ClasspathGuard.shouldConfigure(this.context)) { OAuth2ClasspathGuard.configure(this.context, http); } else { http .httpBasic().and() .formLogin(); } SecurityWebFilterChain result = http.build(); return result; }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { //@formatter:off return http .csrf().disable() .httpBasic().securityContextRepository(new WebSessionServerSecurityContextRepository()) .and() .authorizeExchange() .pathMatchers(HttpMethod.GET, "/posts/**").permitAll() .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN") .pathMatchers("/posts/**").authenticated() .pathMatchers("/auth/**").authenticated() .pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath) .anyExchange().permitAll() .and() .build(); //@formatter:on }
@Bean SecurityWebFilterChain springSecurityFilterChain(final ServerHttpSecurity http) { http .authorizeExchange() .pathMatchers("/favicon.ico", "/css/**", "/webjars/**") .permitAll() .anyExchange() .authenticated() .and() .httpBasic() .and() .formLogin() .and() .logout() ; return http.build(); }
@Bean SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception { return http.httpBasic().and() .csrf().disable() .authorizeExchange() .pathMatchers("/anything/**").authenticated() .anyExchange().permitAll() .and() .build(); }
@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.authorizeExchange() .matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)) .permitAll().anyExchange().authenticated().and().httpBasic().and() .formLogin().and().build(); }
@Bean public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { return http.securityMatcher(EndpointRequest.toAnyEndpoint()) .authorizeExchange() .anyExchange() .hasRole("ENDPOINT_ADMIN") .and().httpBasic() .and().build(); }
@Bean public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { return http .authorizeExchange() .matchers(EndpointRequest.toAnyEndpoint() .excluding("prometheus")).authenticated() .anyExchange().permitAll().and() .formLogin().and() .httpBasic().and() .build(); }
/** * The default {@link ServerHttpSecurity} configuration. * @param http * @return */ private SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .authorizeExchange() .anyExchange().authenticated(); if (isOAuth2Present && OAuth2ClasspathGuard.shouldConfigure(this.context)) { OAuth2ClasspathGuard.configure(this.context, http); } else { http .httpBasic().and() .formLogin(); } SecurityWebFilterChain result = http.build(); return result; }
/** * The default {@link ServerHttpSecurity} configuration. * @param http * @return */ private SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .authorizeExchange() .anyExchange().authenticated(); if (isOAuth2Present && OAuth2ClasspathGuard.shouldConfigure(this.context)) { OAuth2ClasspathGuard.configure(this.context, http); } else { http .httpBasic().and() .formLogin(); } SecurityWebFilterChain result = http.build(); return result; }
@Test public void customAccessDeniedHandler() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .httpBasic().and() .authorizeExchange() .anyExchange().hasRole("ADMIN") .and() .exceptionHandling() .accessDeniedHandler(httpStatusServerAccessDeniedHandler(HttpStatus.BAD_REQUEST)) .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/admin") .headers(headers -> headers.setBasicAuth("user", "password")) .exchange() .expectStatus().isBadRequest(); }
@Test public void defaultAccessDeniedHandler() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .httpBasic().and() .authorizeExchange() .anyExchange().hasRole("ADMIN") .and() .exceptionHandling() .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/admin") .headers(headers -> headers.setBasicAuth("user", "password")) .exchange() .expectStatus().isForbidden(); }