protected void configure(ServerHttpSecurity http) { CorsWebFilter corsFilter = getCorsFilter(); if (corsFilter != null) { http.addFilterAt(this.corsFilter, SecurityWebFiltersOrder.CORS); } }
/** * Configures the Strict Transport Security response headers * @return the {@link HstsSpec} to configure */ public HstsSpec hsts() { return new HstsSpec(); }
/** * Configures {@code Referrer-Policy} response header. * @return the {@link ReferrerPolicySpec} to configure */ public ReferrerPolicySpec referrerPolicy() { return new ReferrerPolicySpec(); }
@Bean public SecurityWebFilterChain springSecurityFilter(ServerHttpSecurity http) { // @formatter:off http .authorizeExchange() .anyExchange().authenticated() .and() .oauth2Login() .authenticationConverter(authenticationConverter) .authenticationManager(authenticationManager()); return http.build(); // @formatter:on }
@Bean SecurityWebFilterChain springSecurity(ServerHttpSecurity http) throws Exception { // @formatter:off http .authorizeExchange() .anyExchange().hasAuthority("SCOPE_message:read") .and() .oauth2ResourceServer() .bearerTokenConverter(bearerTokenAuthenticationConverter()) .jwt() .publicKey(publicKey()); // @formatter:on return http.build(); }
@Bean SecurityWebFilterChain springSecurity(ServerHttpSecurity http) throws Exception { // @formatter:off http .authorizeExchange() .anyExchange().hasAuthority("message:read") .and() .oauth2ResourceServer() .jwt() .jwtAuthenticationConverter(jwtAuthenticationConverter()) .publicKey(publicKey()); // @formatter:on return http.build(); }
@Bean SecurityWebFilterChain authorization(ServerHttpSecurity http) throws Exception { // @formatter:off http .authorizeExchange() .anyExchange().denyAll() .and() .oauth2ResourceServer() .jwt() .publicKey(publicKey()); // @formatter:on return http.build(); } }
@Test(expected = IllegalStateException.class) public void anyExchangeWhenFollowedByMatcherThenThrowsException() { this.http .authorizeExchange().anyExchange().denyAll() .pathMatchers("/never-reached"); }
@Bean SecurityWebFilterChain springSecurity(ServerHttpSecurity http) { // @formatter:off http .oauth2ResourceServer() .jwt() .authenticationManager(authenticationManager()); // @formatter:on return http.build(); }
@Bean SecurityWebFilterChain springSecurity(ServerHttpSecurity http) { // @formatter:off http .redirectToHttps() .portMapper(portMapper()); // @formatter:on return http.build(); }
@Test public void headersWhenDisableAndInvokedExplicitlyThenDefautsUsed() { this.headers.disable() .headers(); assertHeaders(); }
/** * Creates a new instance. * @return the new {@link ServerHttpSecurity} instance */ public static ServerHttpSecurity http() { return new ServerHttpSecurity(); }
@Test public void headersWhenFrameOptionsDisableThenFrameOptionsNotWritten() { expectHeaderNamesNotPresent(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS); this.headers.frameOptions().disable(); assertHeaders(); }
@Test public void headersWhenContentOptionsDisableThenContentTypeOptionsNotWritten() { expectHeaderNamesNotPresent(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS); this.headers.contentTypeOptions().disable(); assertHeaders(); }
@Test public void headersWhenXssProtectionDisableThenXssProtectionNotWritten() { expectHeaderNamesNotPresent("X-Xss-Protection"); this.headers.xssProtection().disable(); assertHeaders(); }
@Test public void headersWhenCacheDisableThenCacheNotWritten() { expectHeaderNamesNotPresent(HttpHeaders.CACHE_CONTROL, HttpHeaders.PRAGMA, HttpHeaders.EXPIRES); this.headers.cache().disable(); assertHeaders(); }
@Test public void headersWhenHstsDisableThenHstsNotWritten() { expectHeaderNamesNotPresent(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY); this.headers.hsts().disable(); assertHeaders(); }
/** * Associates a {@link ServerWebExchangeMatcher} instances * * @param matcher the {@link ServerWebExchangeMatcher} instance * * @return the object that is chained after creating the {@link ServerWebExchangeMatcher} */ private T matcher(ServerWebExchangeMatcher matcher) { return registerMatcher(matcher); } }
public JwtSpec jwt() { if (this.jwt == null) { this.jwt = new JwtSpec(); } return this.jwt; }
protected void configure(ServerHttpSecurity http) { if (this.jwt != null) { this.jwt.configure(http); } }