org.springframework.security.web.server.SecurityWebFilterChain Java Examples

The following examples show how to use org.springframework.security.web.server.SecurityWebFilterChain. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: SecurityConfig.java    From Hands-On-Microservices-with-Spring-Boot-and-Spring-Cloud with MIT License 7 votes vote down vote up
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
	http
		.csrf().disable()
		.authorizeExchange()
			.pathMatchers("/headerrouting/**").permitAll()
			.pathMatchers("/actuator/**").permitAll()
			.pathMatchers("/eureka/**").permitAll()
			.pathMatchers("/oauth/**").permitAll()
			.pathMatchers("/config/**").permitAll()
			.anyExchange().authenticated()
			.and()
		.oauth2ResourceServer()
			.jwt();
	return http.build();
}
 
Example #2
Source File: SecurityConfigure.java    From FEBS-Cloud with Apache License 2.0 6 votes vote down vote up
@Bean
public SecurityWebFilterChain securitygWebFilterChain(ServerHttpSecurity http) {
    return http
            .exceptionHandling()
            .authenticationEntryPoint((s, e) -> Mono.fromRunnable(() -> s.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED)))
            .accessDeniedHandler((s, e) -> Mono.fromRunnable(() -> s.getResponse().setStatusCode(HttpStatus.FORBIDDEN)))
            .and()
            .headers().frameOptions().disable()
            .and()
            .csrf().disable()
            .formLogin().disable()
            .httpBasic().disable()
            .authenticationManager(authenticationManager)
            .securityContextRepository(securityContextRepository)
            .authorizeExchange()
            .pathMatchers(HttpMethod.OPTIONS).permitAll()
            .pathMatchers("/route/auth/**").authenticated()
            .anyExchange().permitAll()
            .and().build();
}
 
Example #3
Source File: ReactiveSecurityApplication.java    From training with Apache License 2.0 6 votes vote down vote up
@Bean
SecurityWebFilterChain authorization(ServerHttpSecurity http) {
	ReactiveAuthorizationManager<AuthorizationContext> auth =
			(authentication, object) -> Mono.just(new AuthorizationDecision(object.getVariables().get("name").equals("rwinch")));

	//@formatter:off
	return
			http
			.authorizeExchange()
				.pathMatchers("/greeting").authenticated()
				.pathMatchers("/hi/{name}").access(auth)
			.and()
				.csrf()
					.disable()
			.httpBasic()
			.and()
			.build();
	//@formatter:on
}
 
Example #4
Source File: SecurityConfig.java    From Hands-On-Microservices-with-Spring-Boot-and-Spring-Cloud with MIT License 6 votes vote down vote up
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
	http
		.csrf().disable()
		.authorizeExchange()
			.pathMatchers("/headerrouting/**").permitAll()
			.pathMatchers("/actuator/**").permitAll()
			.pathMatchers("/eureka/**").permitAll()
			.pathMatchers("/oauth/**").permitAll()
			.pathMatchers("/config/**").permitAll()
			.anyExchange().authenticated()
			.and()
		.oauth2ResourceServer()
			.jwt();
	return http.build();
}
 
Example #5
Source File: ReactiveConfig.java    From errors-spring-boot-starter with Apache License 2.0 6 votes vote down vote up
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http,
                                                     ServerAccessDeniedHandler accessDeniedHandler,
                                                     ServerAuthenticationEntryPoint authenticationEntryPoint) {
    return http
        .csrf()
        .accessDeniedHandler(accessDeniedHandler)
        .and()
        .exceptionHandling()
        .authenticationEntryPoint(authenticationEntryPoint)
        .accessDeniedHandler(accessDeniedHandler)
        .and()
        .authorizeExchange()
        .pathMatchers(GET, "/test/protected").authenticated()
        .pathMatchers(POST, "/test/protected").hasRole("ADMIN")
        .anyExchange().permitAll()
        .and().build();
}
 
Example #6
Source File: WebSecurityConfig.java    From spring-boot-webflux-jjwt with Apache License 2.0 6 votes vote down vote up
@Bean
public SecurityWebFilterChain securitygWebFilterChain(ServerHttpSecurity http) {
	return http
			.exceptionHandling()
			.authenticationEntryPoint((swe, e) -> {
				return Mono.fromRunnable(() -> {
					swe.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
				});
			}).accessDeniedHandler((swe, e) -> {
				return Mono.fromRunnable(() -> {
					swe.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
				});
			}).and()
			.csrf().disable()
			.formLogin().disable()
			.httpBasic().disable()
			.authenticationManager(authenticationManager)
			.securityContextRepository(securityContextRepository)
			.authorizeExchange()
			.pathMatchers(HttpMethod.OPTIONS).permitAll()
			.pathMatchers("/login").permitAll()
			.anyExchange().authenticated()
			.and().build();
}
 
Example #7
Source File: SecurityConfig.java    From Hands-On-Microservices-with-Spring-Boot-and-Spring-Cloud with MIT License 6 votes vote down vote up
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
	http
		.csrf().disable()
		.authorizeExchange()
			.pathMatchers("/headerrouting/**").permitAll()
			.pathMatchers("/actuator/**").permitAll()
			.pathMatchers("/eureka/**").permitAll()
			.pathMatchers("/oauth/**").permitAll()
			.pathMatchers("/config/**").permitAll()
			.anyExchange().authenticated()
			.and()
		.oauth2ResourceServer()
			.jwt();
	return http.build();
}
 
Example #8
Source File: SecurityConfig.java    From spring-security-samples with MIT License 6 votes vote down vote up
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http,
		ReactiveClientRegistrationRepository clientRegistrationRepository) {
	// Authenticate through configured OpenID Provider
	http.oauth2Login();
	// Also logout at the OpenID Connect provider
	http.logout(logout -> logout.logoutSuccessHandler(new OidcClientInitiatedServerLogoutSuccessHandler(
			clientRegistrationRepository)));
	// Require authentication for all requests
	http.authorizeExchange().anyExchange().authenticated();
	// Allow showing /home within a frame
	http.headers().frameOptions().mode(Mode.SAMEORIGIN);
	// Disable CSRF in the gateway to prevent conflicts with proxied service CSRF
	http.csrf().disable();
	return http.build();
}
 
Example #9
Source File: SecurityConfig.java    From spring-security-samples with MIT License 6 votes vote down vote up
@Bean
public SecurityWebFilterChain securityWebFilterChain() {
	// the matcher for all paths that need to be secured (require a logged-in user)
	final ServerWebExchangeMatcher apiPathMatcher = pathMatchers(API_MATCHER_PATH);

	// default chain for all requests
	final ServerHttpSecurity http = this.context.getBean(ServerHttpSecurity.class);

	return http
		.authorizeExchange().matchers(apiPathMatcher).authenticated()
		.anyExchange().permitAll()
		.and().httpBasic().disable()
		.csrf().disable()
		.oauth2Client()
		.and()
		.oauth2Login()
		.and()
		.build();
}
 
Example #10
Source File: SecurityConfig.java    From Hands-On-Microservices-with-Spring-Boot-and-Spring-Cloud with MIT License 6 votes vote down vote up
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
	http
		.csrf().disable()
		.authorizeExchange()
			.pathMatchers("/headerrouting/**").permitAll()
			.pathMatchers("/actuator/**").permitAll()
			.pathMatchers("/eureka/**").permitAll()
			.pathMatchers("/oauth/**").permitAll()
			.pathMatchers("/config/**").permitAll()
			.anyExchange().authenticated()
			.and()
		.oauth2ResourceServer()
			.jwt();
	return http.build();
}
 
Example #11
Source File: SecurityConfig.java    From spring-5-examples with MIT License 6 votes vote down vote up
@Bean SecurityWebFilterChain springSecurityFilterChain(final ServerHttpSecurity http) {

    http
        .authorizeExchange()
          .pathMatchers("/favicon.ico", "/css/**", "/webjars/**")
            .permitAll()
          .anyExchange()
            .authenticated()
            .and()
        .httpBasic()
          .and()
        .formLogin()
          .and()
        .logout()
    ;

    return http.build();
  }
 
Example #12
Source File: SecurityConfiguration.java    From webFluxTemplate with MIT License 6 votes vote down vote up
@Bean
public SecurityWebFilterChain springSecurityFilterChain(final ServerHttpSecurity http,
                                                        final JwtAuthenticationWebFilter authenticationWebFilter,
                                                        final UnauthorizedAuthenticationEntryPoint entryPoint) {
    // We must override AuthenticationEntryPoint because if AuthenticationWebFilter didn't kicked in
    // (i.e. there are no required headers) then default behavior is to display HttpBasicAuth,
    // so we just return unauthorized to override it.
    // Filter tries to authenticate each request if it contains required headers.
    // Finally, we disable all default security.
    http
            .exceptionHandling()
            .authenticationEntryPoint(entryPoint)
            .and()
            .addFilterAt(authenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION)
            .authorizeExchange()
            .pathMatchers(AUTH_WHITELIST).permitAll()
            .anyExchange().authenticated()
            .and()
            .httpBasic().disable()
            .formLogin().disable()
            .csrf().disable()
            .logout().disable();
    return http.build();
}
 
Example #13
Source File: SecurityConfiguration.java    From Learning-Spring-Boot-2.0-Second-Edition with MIT License 5 votes vote down vote up
@Bean
SecurityWebFilterChain springWebFilterChain(HttpSecurity http) {
	return http
		.authorizeExchange()
			.pathMatchers("/**").authenticated()
			.and()
		.build();
}
 
Example #14
Source File: SecurityConfiguration.java    From cloud-security-xsuaa-integration with Apache License 2.0 5 votes vote down vote up
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
	http.authorizeExchange()
			.pathMatchers("/v1/sayHello").hasAuthority("Read")
			.and().oauth2ResourceServer().jwt()
			.jwtAuthenticationConverter(getJwtAuthenticationConverter())
			.jwtDecoder(new XsuaaJwtDecoderBuilder(xsuaaServiceConfiguration)
					.withPostValidationActions(token -> logger.info("post validation action performed"))
					.buildAsReactive());
	return http.build();
}
 
Example #15
Source File: SecurityConfig.java    From spring-reactive-sample with GNU General Public License v3.0 5 votes vote down vote up
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
	return http
		.authorizeExchange()
			.pathMatchers(HttpMethod.GET, "/posts/**").permitAll()
               .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN")
			//.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath)
			.anyExchange().authenticated()
			.and()
		.build();
}
 
Example #16
Source File: DemoApplication.java    From spring-reactive-sample with GNU General Public License v3.0 5 votes vote down vote up
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
    return http
        .authorizeExchange()
        .pathMatchers(HttpMethod.GET, "/posts/**").permitAll()
        .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN")
        .pathMatchers("/posts/**").authenticated()
        //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath)
        .anyExchange().permitAll()
        .and()
        .build();
}
 
Example #17
Source File: SecurityConfiguration.java    From Learning-Spring-Boot-2.0-Second-Edition with MIT License 5 votes vote down vote up
@Bean
SecurityWebFilterChain springWebFilterChain(HttpSecurity http) {
	return http
		.authorizeExchange()
		.pathMatchers("/**").authenticated()
		.and()
		.build();
}
 
Example #18
Source File: SecurityConfiguration.java    From Learning-Spring-Boot-2.0-Second-Edition with MIT License 5 votes vote down vote up
@Bean
SecurityWebFilterChain springWebFilterChain() {
	return HttpSecurity.http()
		.securityContextRepository(
			new WebSessionSecurityContextRepository())
		.authorizeExchange()
			.anyExchange().authenticated()
			.and()
		.build();
}
 
Example #19
Source File: SecurityConfig.java    From spring-reactive-sample with GNU General Public License v3.0 5 votes vote down vote up
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
    return http
        .authorizeExchange()
        .pathMatchers(HttpMethod.GET, "/posts/**").permitAll()
        .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN")
        //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath)
        .anyExchange().authenticated()
        .and()
        .build();
}
 
Example #20
Source File: ResourceServerConfiguration.java    From microservices-platform with Apache License 2.0 5 votes vote down vote up
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    //认证处理器
    ReactiveAuthenticationManager customAuthenticationManager = new CustomAuthenticationManager(tokenStore);
    JsonAuthenticationEntryPoint entryPoint = new JsonAuthenticationEntryPoint();
    //token转换器
    ServerBearerTokenAuthenticationConverter tokenAuthenticationConverter = new ServerBearerTokenAuthenticationConverter();
    tokenAuthenticationConverter.setAllowUriQueryParameter(true);
    //oauth2认证过滤器
    AuthenticationWebFilter oauth2Filter = new AuthenticationWebFilter(customAuthenticationManager);
    oauth2Filter.setServerAuthenticationConverter(tokenAuthenticationConverter);
    oauth2Filter.setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
    oauth2Filter.setAuthenticationSuccessHandler(new Oauth2AuthSuccessHandler());
    http.addFilterAt(oauth2Filter, SecurityWebFiltersOrder.AUTHENTICATION);

    ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchange = http.authorizeExchange();
    if (securityProperties.getAuth().getHttpUrls().length > 0) {
        authorizeExchange.pathMatchers(securityProperties.getAuth().getHttpUrls()).authenticated();
    }
    if (securityProperties.getIgnore().getUrls().length > 0) {
        authorizeExchange.pathMatchers(securityProperties.getIgnore().getUrls()).permitAll();
    }
    authorizeExchange
            .pathMatchers(HttpMethod.OPTIONS).permitAll()
            .anyExchange()
                .access(permissionAuthManager)
            .and()
                .exceptionHandling()
                    .accessDeniedHandler(new JsonAccessDeniedHandler())
                    .authenticationEntryPoint(entryPoint)
            .and()
                .headers()
                    .frameOptions()
                    .disable()
            .and()
                .httpBasic().disable()
                .csrf().disable();
    return http.build();
}
 
Example #21
Source File: ReservationClientApplication.java    From training with Apache License 2.0 5 votes vote down vote up
@Bean
SecurityWebFilterChain authorization(ServerHttpSecurity security) {
		//@formatter:off
return
		security
		.csrf().disable()
		.httpBasic()
		.and()
		.authorizeExchange()
			.pathMatchers("/proxy").authenticated()
			.anyExchange().permitAll()
		.and()
		.build();
//@formatter:on
}
 
Example #22
Source File: TweetClientApplication.java    From reactive-spring-online-training with Apache License 2.0 5 votes vote down vote up
@Bean
SecurityWebFilterChain authorization(ServerHttpSecurity http) {
		http.httpBasic();
		http.csrf().disable();
		http
			.authorizeExchange()
			.pathMatchers("/proxy").authenticated()
			.anyExchange().permitAll();
		return http.build();
}
 
Example #23
Source File: SpringSecurityWebReactiveEndpointsBootstrap.java    From thinking-in-spring-boot-samples with Apache License 2.0 5 votes vote down vote up
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
    return http.securityMatcher(EndpointRequest.toAnyEndpoint())
            .authorizeExchange()
            .anyExchange()
            .hasRole("ENDPOINT_ADMIN")
            .and().httpBasic()
            .and().build();
}
 
Example #24
Source File: SecurityConfig.java    From spring-5-examples with MIT License 5 votes vote down vote up
/**
 * Authorization
 */

@Bean
SecurityWebFilterChain springWebFilterChain(HttpSecurity http) throws Exception {
  return http
      .authorizeExchange()
        .pathMatchers("/all/{usernamePathVariable}").access(this::currentUserMatchesRoleAndPath)
        .pathMatchers("/first").access(this::currentUserMatchesRole)
        .pathMatchers("/**").hasRole(ROLE_ADMIN)
      .anyExchange().authenticated()
      .and()
      ////not necessary, already injected
      //.authenticationManager(reactiveAuthenticationManager(userDetailsRepository()))
      .build();
}
 
Example #25
Source File: SecurityConfig.java    From pivotal-bank-demo with Apache License 2.0 5 votes vote down vote up
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
    return http
            .csrf().disable()
            .authorizeExchange()
            .anyExchange().permitAll()
            .and()
            .build();
}
 
Example #26
Source File: SpringBootActuatorEndpointsBootstrap.java    From thinking-in-spring-boot-samples with Apache License 2.0 5 votes vote down vote up
/**
 * 由于当前工程依赖 org.springframework.security:spring-security-web 的缘故,
 * BASIC 验证需要显示地关闭
 *
 * @param http {@link ServerHttpSecurity}
 * @return {@link SecurityWebFilterChain}
 */
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
    return http.securityMatcher(EndpointRequest.toAnyEndpoint())
            .httpBasic().disable() // 关闭 BASIC 验证
            .build();
}
 
Example #27
Source File: SecurityConfig.java    From spring-reactive-sample with GNU General Public License v3.0 5 votes vote down vote up
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
    return http
        .authorizeExchange()
        //.pathMatchers(HttpMethod.GET, "/posts/**").permitAll()
        //.pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN")
        //.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath)
        .anyExchange().authenticated()
        .and()
        .build();
}
 
Example #28
Source File: TestSecurityConfiguration.java    From Hands-On-Reactive-Programming-in-Spring-5 with MIT License 5 votes vote down vote up
@Bean
@Primary
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	return http
				.authorizeExchange()
				.anyExchange().permitAll()
	            .and()
	            .formLogin()
				.and()
				.csrf().disable()
				.build();
}
 
Example #29
Source File: SecurityConfiguration.java    From Hands-On-Reactive-Programming-in-Spring-5 with MIT License 5 votes vote down vote up
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
	http
			.authorizeExchange()
			.anyExchange().permitAll()
			.and()
			.formLogin();
	return http.build();
}
 
Example #30
Source File: DemoApplication.java    From spring-reactive-sample with GNU General Public License v3.0 5 votes vote down vote up
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
	return http
		.authorizeExchange()
			.pathMatchers(HttpMethod.GET, "/posts/**").permitAll()
               .pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN")
			//.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath)
			.anyExchange().authenticated()
			.and()
		.build();
}