Class ServerHttpSecurity
java.lang.Object
org.springframework.security.config.web.server.ServerHttpSecurity
A
ServerHttpSecurity
is similar to Spring Security's HttpSecurity
but
for WebFlux. It allows configuring web based security for specific http requests. By
default it will be applied to all requests, but can be restricted using
securityMatcher(ServerWebExchangeMatcher)
or other similar methods.
A minimal configuration can be found below:
@Configuration @EnableWebFluxSecurity public class MyMinimalSecurityConfiguration { @Bean public MapReactiveUserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new MapReactiveUserDetailsService(user); } }Below is the same as our minimal configuration, but explicitly declaring the
ServerHttpSecurity
.
@Configuration @EnableWebFluxSecurity public class MyExplicitSecurityConfiguration { @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .authorizeExchange() .anyExchange().authenticated() .and() .httpBasic().and() .formLogin(); return http.build(); } @Bean public MapReactiveUserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new MapReactiveUserDetailsService(user); } }
- Since:
- 5.0
-
Nested Class Summary
Modifier and TypeClassDescriptionfinal class
Configures anonymous authenticationclass
Configures authorizationfinal class
Configures CORS support within Spring Security.final class
Configures CSRF Protectionfinal class
Configures exception handlingfinal class
Configures Form Based authenticationfinal class
Configures HTTP Response Headers.final class
Configures HTTP Basic Authenticationclass
Configures HTTPS redirection rulesfinal class
Configures log outfinal class
final class
class
Configures OAuth2 Resource Server Supportfinal class
Configures OIDC 1.0 Logout supportfinal class
Configures One-Time Token Login Supportfinal class
Configures password management.final class
Configures the request cache which is used when a flow is interrupted (i.e.class
Configures how sessions are managed.final class
Configures X509 authentication -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionaddFilterAfter
(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order) Adds aWebFilter
after specific position.addFilterAt
(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order) Adds aWebFilter
at a specific position.addFilterBefore
(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order) Adds aWebFilter
before specific position.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.anonymous
(Customizer<ServerHttpSecurity.AnonymousSpec> anonymousCustomizer) Enables and Configures anonymous authentication.Configure the default authentication manager.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.authorizeExchange
(Customizer<ServerHttpSecurity.AuthorizeExchangeSpec> authorizeExchangeCustomizer) Configures authorization.build()
Builds theSecurityWebFilterChain
cors()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.cors
(Customizer<ServerHttpSecurity.CorsSpec> corsCustomizer) Configures CORS headers.csrf()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.csrf
(Customizer<ServerHttpSecurity.CsrfSpec> csrfCustomizer) Configures CSRF Protection which is enabled by default.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.exceptionHandling
(Customizer<ServerHttpSecurity.ExceptionHandlingSpec> exceptionHandlingCustomizer) Configures exception handling (i.e.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.formLogin
(Customizer<ServerHttpSecurity.FormLoginSpec> formLoginCustomizer) Configures form based authentication.headers()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.headers
(Customizer<ServerHttpSecurity.HeaderSpec> headerCustomizer) Configures HTTP Response Headers.static ServerHttpSecurity
http()
Creates a new instance.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.httpBasic
(Customizer<ServerHttpSecurity.HttpBasicSpec> httpBasicCustomizer) Configures HTTP Basic authentication.logout()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.logout
(Customizer<ServerHttpSecurity.LogoutSpec> logoutCustomizer) Configures log out.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.oauth2Client
(Customizer<ServerHttpSecurity.OAuth2ClientSpec> oauth2ClientCustomizer) Configures the OAuth2 client.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.oauth2Login
(Customizer<ServerHttpSecurity.OAuth2LoginSpec> oauth2LoginCustomizer) Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.oauth2ResourceServer
(Customizer<ServerHttpSecurity.OAuth2ResourceServerSpec> oauth2ResourceServerCustomizer) Configures OAuth 2.0 Resource Server support.oidcLogout
(Customizer<ServerHttpSecurity.OidcLogoutSpec> oidcLogoutCustomizer) Configures OIDC Connect 1.0 Logout support.oneTimeTokenLogin
(Customizer<ServerHttpSecurity.OneTimeTokenLoginSpec> oneTimeTokenLoginCustomizer) Configures One-Time Token Login Support.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.passwordManagement
(Customizer<ServerHttpSecurity.PasswordManagementSpec> passwordManagementCustomizer) Configures password management.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.redirectToHttps
(Customizer<ServerHttpSecurity.HttpsRedirectSpec> httpsRedirectCustomizer) Configures HTTPS redirection rules.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.requestCache
(Customizer<ServerHttpSecurity.RequestCacheSpec> requestCacheCustomizer) Configures the request cache which is used when a flow is interrupted (i.e.securityContextRepository
(ServerSecurityContextRepository securityContextRepository) The strategy used withReactorContextWebFilter
.securityMatcher
(ServerWebExchangeMatcher matcher) The ServerExchangeMatcher that determines which requests apply to this HttpSecurity instance.Configures Session Management.protected void
setApplicationContext
(org.springframework.context.ApplicationContext applicationContext) x509()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.x509
(Customizer<ServerHttpSecurity.X509Spec> x509Customizer) Configures x509 authentication using a certificate provided by a client.
-
Constructor Details
-
ServerHttpSecurity
protected ServerHttpSecurity()
-
-
Method Details
-
securityMatcher
The ServerExchangeMatcher that determines which requests apply to this HttpSecurity instance.- Parameters:
matcher
- the ServerExchangeMatcher that determines which requests apply to this HttpSecurity instance. Default is all requests.- Returns:
- the
ServerHttpSecurity
to continue configuring
-
addFilterAt
public ServerHttpSecurity addFilterAt(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order) Adds aWebFilter
at a specific position.- Parameters:
webFilter
- theWebFilter
to addorder
- the place to insert theWebFilter
- Returns:
- the
ServerHttpSecurity
to continue configuring
-
addFilterBefore
public ServerHttpSecurity addFilterBefore(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order) Adds aWebFilter
before specific position.- Parameters:
webFilter
- theWebFilter
to addorder
- the place before which to insert theWebFilter
- Returns:
- the
ServerHttpSecurity
to continue configuring - Since:
- 5.2.0
-
addFilterAfter
public ServerHttpSecurity addFilterAfter(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order) Adds aWebFilter
after specific position.- Parameters:
webFilter
- theWebFilter
to addorder
- the place after which to insert theWebFilter
- Returns:
- the
ServerHttpSecurity
to continue configuring - Since:
- 5.2.0
-
securityContextRepository
public ServerHttpSecurity securityContextRepository(ServerSecurityContextRepository securityContextRepository) The strategy used withReactorContextWebFilter
. It does impact how theSecurityContext
is saved which is configured on a perAuthenticationWebFilter
basis.- Parameters:
securityContextRepository
- the repository to use- Returns:
- the
ServerHttpSecurity
to continue configuring
-
redirectToHttps
@Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.HttpsRedirectSpec redirectToHttps()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseredirectToHttps(Customizer)
orredirectToHttps(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures HTTPS redirection rules. If the default is used:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps(); return http.build(); }
Then all non-HTTPS requests will be redirected to HTTPS. Typically, all requests should be HTTPS; however, the focus for redirection can also be narrowed:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps() .httpsRedirectWhen((serverWebExchange) -> serverWebExchange.getRequest().getHeaders().containsKey("X-Requires-Https")) return http.build(); }
- Returns:
- the
ServerHttpSecurity.HttpsRedirectSpec
to customize
-
redirectToHttps
public ServerHttpSecurity redirectToHttps(Customizer<ServerHttpSecurity.HttpsRedirectSpec> httpsRedirectCustomizer) Configures HTTPS redirection rules. If the default is used:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps(withDefaults()); return http.build(); }
Then all non-HTTPS requests will be redirected to HTTPS. Typically, all requests should be HTTPS; however, the focus for redirection can also be narrowed:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps((redirectToHttps) -> redirectToHttps .httpsRedirectWhen((serverWebExchange) -> serverWebExchange.getRequest().getHeaders().containsKey("X-Requires-Https")) ); return http.build(); }
- Parameters:
httpsRedirectCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.HttpsRedirectSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
csrf
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Usecsrf(Customizer)
orcsrf(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures CSRF Protection which is enabled by default. You can disable it using:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .csrf().disabled(); return http.build(); }
Additional configuration options can be seen below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .csrf() // Handle CSRF failures .accessDeniedHandler(accessDeniedHandler) // Custom persistence of CSRF Token .csrfTokenRepository(csrfTokenRepository) // custom matching when CSRF protection is enabled .requireCsrfProtectionMatcher(matcher); return http.build(); }
- Returns:
- the
ServerHttpSecurity.CsrfSpec
to customize
-
csrf
Configures CSRF Protection which is enabled by default. You can disable it using:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .csrf((csrf) -> csrf.disabled() ); return http.build(); }
Additional configuration options can be seen below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .csrf((csrf) -> csrf // Handle CSRF failures .accessDeniedHandler(accessDeniedHandler) // Custom persistence of CSRF Token .csrfTokenRepository(csrfTokenRepository) // custom matching when CSRF protection is enabled .requireCsrfProtectionMatcher(matcher) ); return http.build(); }
- Parameters:
csrfCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.CsrfSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
cors
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Usecors(Customizer)
orcors(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures CORS headers. By default if aCorsConfigurationSource
Bean is found, it will be used to create aCorsWebFilter
. IfServerHttpSecurity.CorsSpec.configurationSource(CorsConfigurationSource)
is invoked it will be used instead. If neither has been configured, the Cors configuration will do nothing.- Returns:
- the
ServerHttpSecurity.CorsSpec
to customize
-
cors
Configures CORS headers. By default if aCorsConfigurationSource
Bean is found, it will be used to create aCorsWebFilter
. IfServerHttpSecurity.CorsSpec.configurationSource(CorsConfigurationSource)
is invoked it will be used instead. If neither has been configured, the Cors configuration will do nothing.- Parameters:
corsCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.CorsSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
anonymous
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Useanonymous(Customizer)
oranonymous(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Enables and Configures anonymous authentication. Anonymous Authentication is disabled by default.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .anonymous().key("key") .authorities("ROLE_ANONYMOUS"); return http.build(); }
- Returns:
- the
ServerHttpSecurity.AnonymousSpec
to customize - Since:
- 5.2.0
-
anonymous
public ServerHttpSecurity anonymous(Customizer<ServerHttpSecurity.AnonymousSpec> anonymousCustomizer) Enables and Configures anonymous authentication. Anonymous Authentication is disabled by default.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .anonymous((anonymous) -> anonymous .key("key") .authorities("ROLE_ANONYMOUS") ); return http.build(); }
- Parameters:
anonymousCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.AnonymousSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
httpBasic
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsehttpBasic(Customizer)
orhttpBasic(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures HTTP Basic authentication. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .httpBasic() // used for authenticating the credentials .authenticationManager(authenticationManager) // Custom persistence of the authentication .securityContextRepository(securityContextRepository); return http.build(); }
- Returns:
- the
ServerHttpSecurity.HttpBasicSpec
to customize
-
httpBasic
public ServerHttpSecurity httpBasic(Customizer<ServerHttpSecurity.HttpBasicSpec> httpBasicCustomizer) Configures HTTP Basic authentication. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .httpBasic((httpBasic) -> httpBasic // used for authenticating the credentials .authenticationManager(authenticationManager) // Custom persistence of the authentication .securityContextRepository(securityContextRepository) ); return http.build(); }
- Parameters:
httpBasicCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.HttpBasicSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
sessionManagement
public ServerHttpSecurity sessionManagement(Customizer<ServerHttpSecurity.SessionManagementSpec> customizer) Configures Session Management. An example configuration is provided below:@Bean SecurityWebFilterChain filterChain(ServerHttpSecurity http, ReactiveSessionRegistry sessionRegistry) { http // ... .sessionManagement((sessionManagement) -> sessionManagement .concurrentSessions((concurrentSessions) -> concurrentSessions .maxSessions(1) .maxSessionsPreventsLogin(true) .sessionRegistry(sessionRegistry) ) ); return http.build(); }
- Parameters:
customizer
- theCustomizer
to provide more options for theServerHttpSecurity.SessionManagementSpec
- Returns:
- the
ServerHttpSecurity
to continue configuring - Since:
- 6.3
-
passwordManagement
@Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.PasswordManagementSpec passwordManagement()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsepasswordManagement(Customizer)
orpasswordManagement(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures password management. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .passwordManagement(); return http.build(); }
- Returns:
- the
ServerHttpSecurity.PasswordManagementSpec
to customize - Since:
- 5.6
-
passwordManagement
public ServerHttpSecurity passwordManagement(Customizer<ServerHttpSecurity.PasswordManagementSpec> passwordManagementCustomizer) Configures password management. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .passwordManagement(passwordManagement -> // Custom change password page. passwordManagement.changePasswordPage("/custom-change-password-page") ); return http.build(); }
- Parameters:
passwordManagementCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.PasswordManagementSpec
- Returns:
- the
ServerHttpSecurity
to customize - Since:
- 5.6
-
formLogin
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseformLogin(Customizer)
orformLogin(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures form based authentication. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .formLogin() // used for authenticating the credentials .authenticationManager(authenticationManager) // Custom persistence of the authentication .securityContextRepository(securityContextRepository) // expect a log in page at "/authenticate" // a POST "/authenticate" is where authentication occurs // error page at "/authenticate?error" .loginPage("/authenticate"); return http.build(); }
- Returns:
- the
ServerHttpSecurity.FormLoginSpec
to customize
-
formLogin
public ServerHttpSecurity formLogin(Customizer<ServerHttpSecurity.FormLoginSpec> formLoginCustomizer) Configures form based authentication. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .formLogin((formLogin) -> formLogin // used for authenticating the credentials .authenticationManager(authenticationManager) // Custom persistence of the authentication .securityContextRepository(securityContextRepository) // expect a log in page at "/authenticate" // a POST "/authenticate" is where authentication occurs // error page at "/authenticate?error" .loginPage("/authenticate") ); return http.build(); }
- Parameters:
formLoginCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.FormLoginSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
x509
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Usex509(Customizer)
orx509(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures x509 authentication using a certificate provided by a client.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .x509() .authenticationManager(authenticationManager) .principalExtractor(principalExtractor); return http.build(); }
Note that if extractor is not specified,SubjectDnX509PrincipalExtractor
will be used. If authenticationManager is not specified,ReactivePreAuthenticatedAuthenticationManager
will be used.- Returns:
- the
ServerHttpSecurity.X509Spec
to customize - Since:
- 5.2
-
x509
Configures x509 authentication using a certificate provided by a client.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .x509((x509) -> x509 .authenticationManager(authenticationManager) .principalExtractor(principalExtractor) ); return http.build(); }
Note that if extractor is not specified,SubjectDnX509PrincipalExtractor
will be used. If authenticationManager is not specified,ReactivePreAuthenticatedAuthenticationManager
will be used.- Parameters:
x509Customizer
- theCustomizer
to provide more options for theServerHttpSecurity.X509Spec
- Returns:
- the
ServerHttpSecurity
to customize - Since:
- 5.2
-
oauth2Login
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Useoauth2Login(Customizer)
oroauth2Login(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2Login() .authenticationConverter(authenticationConverter) .authenticationManager(manager); return http.build(); }
- Returns:
- the
ServerHttpSecurity.OAuth2LoginSpec
to customize
-
oauth2Login
public ServerHttpSecurity oauth2Login(Customizer<ServerHttpSecurity.OAuth2LoginSpec> oauth2LoginCustomizer) Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2Login((oauth2Login) -> oauth2Login .authenticationConverter(authenticationConverter) .authenticationManager(manager) ); return http.build(); }
- Parameters:
oauth2LoginCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.OAuth2LoginSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
oauth2Client
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Useoauth2Client(Customizer)
oroauth2Client(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures the OAuth2 client.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2Client() .clientRegistrationRepository(clientRegistrationRepository) .authorizedClientRepository(authorizedClientRepository); return http.build(); }
- Returns:
- the
ServerHttpSecurity.OAuth2ClientSpec
to customize
-
oauth2Client
public ServerHttpSecurity oauth2Client(Customizer<ServerHttpSecurity.OAuth2ClientSpec> oauth2ClientCustomizer) Configures the OAuth2 client.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2Client((oauth2Client) -> oauth2Client .clientRegistrationRepository(clientRegistrationRepository) .authorizedClientRepository(authorizedClientRepository) ); return http.build(); }
- Parameters:
oauth2ClientCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.OAuth2ClientSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
oauth2ResourceServer
@Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.OAuth2ResourceServerSpec oauth2ResourceServer()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Useoauth2ResourceServer(Customizer)
insteadConfigures OAuth 2.0 Resource Server support.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2ResourceServer() .jwt() .publicKey(publicKey()); return http.build(); }
- Returns:
- the
ServerHttpSecurity.OAuth2ResourceServerSpec
to customize
-
oauth2ResourceServer
public ServerHttpSecurity oauth2ResourceServer(Customizer<ServerHttpSecurity.OAuth2ResourceServerSpec> oauth2ResourceServerCustomizer) Configures OAuth 2.0 Resource Server support.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2ResourceServer((oauth2ResourceServer) -> oauth2ResourceServer .jwt((jwt) -> jwt .publicKey(publicKey()) ) ); return http.build(); }
- Parameters:
oauth2ResourceServerCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.OAuth2ResourceServerSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
oidcLogout
public ServerHttpSecurity oidcLogout(Customizer<ServerHttpSecurity.OidcLogoutSpec> oidcLogoutCustomizer) Configures OIDC Connect 1.0 Logout support.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oidcLogout((logout) -> logout .backChannel(Customizer.withDefaults()) ); return http.build(); }
- Parameters:
oidcLogoutCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.OidcLogoutSpec
- Returns:
- the
ServerHttpSecurity
to customize - Since:
- 6.2
-
headers
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Useheaders(Customizer)
orheaders(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures HTTP Response Headers. The default headers are:Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 0
such that "Strict-Transport-Security" is only added on secure requests. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .headers() // customize frame options to be same origin .frameOptions() .mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN) .and() // disable cache control .cache().disable(); return http.build(); }
- Returns:
- the
ServerHttpSecurity.HeaderSpec
to customize
-
headers
Configures HTTP Response Headers. The default headers are:Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 0
such that "Strict-Transport-Security" is only added on secure requests. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .headers((headers) -> headers // customize frame options to be same origin .frameOptions((frameOptions) -> frameOptions .mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN) ) // disable cache control .cache((cache) -> cache .disable() ) ); return http.build(); }
- Parameters:
headerCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.HeaderSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
exceptionHandling
@Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.ExceptionHandlingSpec exceptionHandling()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseexceptionHandling(Customizer)
orexceptionHandling(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures exception handling (i.e. handles when authentication is requested). An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .exceptionHandling() // customize how to request for authentication .authenticationEntryPoint(entryPoint); return http.build(); }
- Returns:
- the
ServerHttpSecurity.ExceptionHandlingSpec
to customize
-
exceptionHandling
public ServerHttpSecurity exceptionHandling(Customizer<ServerHttpSecurity.ExceptionHandlingSpec> exceptionHandlingCustomizer) Configures exception handling (i.e. handles when authentication is requested). An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .exceptionHandling((exceptionHandling) -> exceptionHandling // customize how to request for authentication .authenticationEntryPoint(entryPoint) ); return http.build(); }
- Parameters:
exceptionHandlingCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.ExceptionHandlingSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
authorizeExchange
@Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchange()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseauthorizeExchange(Customizer)
orauthorizeExchange(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures authorization. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .authorizeExchange() // any URL that starts with /admin/ requires the role "ROLE_ADMIN" .pathMatchers("/admin/**").hasRole("ADMIN") // a POST to /users requires the role "USER_POST" .pathMatchers(HttpMethod.POST, "/users").hasAuthority("USER_POST") // a request to /users/{username} requires the current authentication's username // to be equal to the {username} .pathMatchers("/users/{username}").access((authentication, context) -> authentication .map(Authentication::getName) .map((username) -> username.equals(context.getVariables().get("username"))) .map(AuthorizationDecision::new) ) // allows providing a custom matching strategy that requires the role "ROLE_CUSTOM" .matchers(customMatcher).hasRole("CUSTOM") // any other request requires the user to be authenticated .anyExchange().authenticated(); return http.build(); }
- Returns:
- the
ServerHttpSecurity.AuthorizeExchangeSpec
to customize
-
authorizeExchange
public ServerHttpSecurity authorizeExchange(Customizer<ServerHttpSecurity.AuthorizeExchangeSpec> authorizeExchangeCustomizer) Configures authorization. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .authorizeExchange((exchanges) -> exchanges // any URL that starts with /admin/ requires the role "ROLE_ADMIN" .pathMatchers("/admin/**").hasRole("ADMIN") // a POST to /users requires the role "USER_POST" .pathMatchers(HttpMethod.POST, "/users").hasAuthority("USER_POST") // a request to /users/{username} requires the current authentication's username // to be equal to the {username} .pathMatchers("/users/{username}").access((authentication, context) -> authentication .map(Authentication::getName) .map((username) -> username.equals(context.getVariables().get("username"))) .map(AuthorizationDecision::new) ) // allows providing a custom matching strategy that requires the role "ROLE_CUSTOM" .matchers(customMatcher).hasRole("CUSTOM") // any other request requires the user to be authenticated .anyExchange().authenticated() ); return http.build(); }
- Parameters:
authorizeExchangeCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.AuthorizeExchangeSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
logout
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. Uselogout(Customizer)
orlogout(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures log out. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .logout() // configures how log out is done .logoutHandler(logoutHandler) // log out will be performed on POST /signout .logoutUrl("/signout") // configure what is done on logout success .logoutSuccessHandler(successHandler); return http.build(); }
- Returns:
- the
ServerHttpSecurity.LogoutSpec
to customize
-
logout
Configures log out. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .logout((logout) -> logout // configures how log out is done .logoutHandler(logoutHandler) // log out will be performed on POST /signout .logoutUrl("/signout") // configure what is done on logout success .logoutSuccessHandler(successHandler) ); return http.build(); }
- Parameters:
logoutCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.LogoutSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
requestCache
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UserequestCache(Customizer)
orrequestCache(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures the request cache which is used when a flow is interrupted (i.e. due to requesting credentials) so that the request can be replayed after authentication. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .requestCache() // configures how the request is cached .requestCache(requestCache); return http.build(); }
- Returns:
- the
ServerHttpSecurity.RequestCacheSpec
to customize
-
requestCache
public ServerHttpSecurity requestCache(Customizer<ServerHttpSecurity.RequestCacheSpec> requestCacheCustomizer) Configures the request cache which is used when a flow is interrupted (i.e. due to requesting credentials) so that the request can be replayed after authentication. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .requestCache((requestCache) -> requestCache // configures how the request is cached .requestCache(customRequestCache) ); return http.build(); }
- Parameters:
requestCacheCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.RequestCacheSpec
- Returns:
- the
ServerHttpSecurity
to customize
-
authenticationManager
Configure the default authentication manager.- Parameters:
manager
- the authentication manager to use- Returns:
- the
ServerHttpSecurity
to customize
-
oneTimeTokenLogin
public ServerHttpSecurity oneTimeTokenLogin(Customizer<ServerHttpSecurity.OneTimeTokenLoginSpec> oneTimeTokenLoginCustomizer) Configures One-Time Token Login Support.Example Configuration
@Configuration @EnableWebFluxSecurity public class SecurityConfig { @Bean public SecurityWebFilterChain securityFilterChain(ServerHttpSecurity http) throws Exception { http // ... .oneTimeTokenLogin(Customizer.withDefaults()); return http.build(); } @Bean public ServerOneTimeTokenGenerationSuccessHandler oneTimeTokenGenerationSuccessHandler() { return new MyMagicLinkServerOneTimeTokenGenerationSuccessHandler(); } }
- Parameters:
oneTimeTokenLoginCustomizer
- theCustomizer
to provide more options for theServerHttpSecurity.OneTimeTokenLoginSpec
- Returns:
- the
ServerHttpSecurity
for further customizations
-
build
Builds theSecurityWebFilterChain
- Returns:
- the
SecurityWebFilterChain
-
http
Creates a new instance.- Returns:
- the new
ServerHttpSecurity
instance
-
setApplicationContext
protected void setApplicationContext(org.springframework.context.ApplicationContext applicationContext) throws org.springframework.beans.BeansException - Throws:
org.springframework.beans.BeansException
-