@Test public void defaultAuthenticationEntryPoint() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .authorizeExchange() .anyExchange().authenticated() .and() .exceptionHandling() .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/test") .exchange() .expectStatus().isUnauthorized() .expectHeader().valueMatches("WWW-Authenticate", "Basic.*"); }
@Test public void defaultAccessDeniedHandler() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .httpBasic().and() .authorizeExchange() .anyExchange().hasRole("ADMIN") .and() .exceptionHandling() .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/admin") .headers(headers -> headers.setBasicAuth("user", "password")) .exchange() .expectStatus().isForbidden(); }
@Test public void customAuthenticationEntryPoint() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .authorizeExchange() .anyExchange().authenticated() .and() .exceptionHandling() .authenticationEntryPoint(redirectServerAuthenticationEntryPoint("/auth")) .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/test") .exchange() .expectStatus().isFound() .expectHeader().valueMatches("Location", ".*"); }
@Test public void customAccessDeniedHandler() { SecurityWebFilterChain securityWebFilter = this.http .csrf().disable() .httpBasic().and() .authorizeExchange() .anyExchange().hasRole("ADMIN") .and() .exceptionHandling() .accessDeniedHandler(httpStatusServerAccessDeniedHandler(HttpStatus.BAD_REQUEST)) .and() .build(); WebTestClient client = WebTestClientBuilder .bindToWebFilters(securityWebFilter) .build(); client .get() .uri("/admin") .headers(headers -> headers.setBasicAuth("user", "password")) .exchange() .expectStatus().isBadRequest(); }
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { log.info("Configuring SecurityWebFilterChain ..."); formLogin(http); // Configure form login authorizeExchange(http); // configure authorization oauth2Login(http); // configure OAuth2 login return http .securityContextRepository(NoOpServerSecurityContextRepository.getInstance()) .exceptionHandling() .accessDeniedHandler(accessDeniedHandler()) .authenticationEntryPoint(authenticationEntryPoint()) .and() .cors() .and() .csrf().disable() .addFilterAt(tokenAuthenticationFilter(), SecurityWebFiltersOrder.AUTHENTICATION) .logout().disable() .build(); }