Reactive security provides complete WebFlux equivalents of servlet-based security for reactive applications using Spring WebFlux.
Defines a security filter chain for reactive applications.
package org.springframework.security.web.server;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
public interface SecurityWebFilterChain {
/**
* Determines if this filter chain applies to the exchange.
*
* @param exchange the server web exchange
* @return Mono<Boolean> indicating if chain matches
*/
Mono<Boolean> matches(ServerWebExchange exchange);
/**
* Returns the web filters to apply.
*
* @return Flux of WebFilter instances
*/
Flux<WebFilter> getWebFilters();
}WebFilter that implements the security filter chain for reactive applications.
package org.springframework.security.web.server;
import java.util.List;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class WebFilterChainProxy implements WebFilter {
/**
* Creates a filter chain proxy.
*
* @param filters the list of SecurityWebFilterChain instances
*/
public WebFilterChainProxy(List<SecurityWebFilterChain> filters);
/**
* Creates a filter chain proxy from varargs.
*/
public WebFilterChainProxy(SecurityWebFilterChain... filters);
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
}Strategy for performing redirects in reactive applications.
package org.springframework.security.web.server;
import java.net.URI;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerRedirectStrategy {
/**
* Performs a redirect to the specified location.
*
* @param exchange the server web exchange
* @param location the URI to redirect to
* @return Mono<Void> to complete the redirect
*/
Mono<Void> sendRedirect(ServerWebExchange exchange, URI location);
}Default implementation of ServerRedirectStrategy.
package org.springframework.security.web.server;
import java.net.URI;
import org.springframework.http.HttpStatus;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class DefaultServerRedirectStrategy implements ServerRedirectStrategy {
/**
* Creates a redirect strategy with HTTP 302 (Found) status.
*/
public DefaultServerRedirectStrategy();
/**
* Sets the HTTP status for redirects.
*
* @param httpStatus the HTTP status code to use
*/
public void setHttpStatus(HttpStatus httpStatus);
/**
* Sets whether to use context-relative redirects.
*
* @param contextRelative true to make redirects context-relative
*/
public void setContextRelative(boolean contextRelative);
public Mono<Void> sendRedirect(ServerWebExchange exchange, URI location);
}Combines ServerWebExchange and WebFilterChain for reactive security filters.
package org.springframework.security.web.server.authentication;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilterChain;
public class WebFilterExchange {
/**
* Creates a WebFilterExchange.
*
* @param exchange the server web exchange
* @param chain the web filter chain
*/
public WebFilterExchange(ServerWebExchange exchange, WebFilterChain chain);
/**
* Gets the ServerWebExchange.
*
* @return the server web exchange
*/
public ServerWebExchange getExchange();
/**
* Gets the WebFilterChain.
*
* @return the web filter chain
*/
public WebFilterChain getChain();
}Converts a ServerWebExchange to an Authentication.
package org.springframework.security.web.server.authentication;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerAuthenticationConverter {
/**
* Converts the exchange to an Authentication.
*
* @param exchange the server web exchange
* @return Mono<Authentication> or empty
*/
Mono<Authentication> convert(ServerWebExchange exchange);
}Converts form login credentials to an Authentication.
package org.springframework.security.web.server.authentication;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class ServerFormLoginAuthenticationConverter implements ServerAuthenticationConverter {
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
/**
* Creates a form login authentication converter.
*/
public ServerFormLoginAuthenticationConverter();
/**
* Sets the username parameter name.
*
* @param usernameParameter the username parameter name
*/
public void setUsernameParameter(String usernameParameter);
/**
* Sets the password parameter name.
*
* @param passwordParameter the password parameter name
*/
public void setPasswordParameter(String passwordParameter);
public Mono<Authentication> convert(ServerWebExchange exchange);
}Converts HTTP Basic authentication credentials to an Authentication.
package org.springframework.security.web.server.authentication;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class ServerHttpBasicAuthenticationConverter implements ServerAuthenticationConverter {
/**
* Creates an HTTP Basic authentication converter.
*/
public ServerHttpBasicAuthenticationConverter();
public Mono<Authentication> convert(ServerWebExchange exchange);
}Converts X.509 certificate to an Authentication (Since 5.2).
package org.springframework.security.web.server.authentication;
import org.springframework.security.authentication.X509AuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class ServerX509AuthenticationConverter implements ServerAuthenticationConverter {
/**
* Creates an X.509 authentication converter.
*/
public ServerX509AuthenticationConverter();
/**
* Sets the principal extractor for extracting the principal from the certificate.
*
* @param principalExtractor the principal extractor
*/
public void setPrincipalExtractor(java.util.function.Function<java.security.cert.X509Certificate, String> principalExtractor);
public Mono<Authentication> convert(ServerWebExchange exchange);
}Performs authentication in reactive applications.
package org.springframework.security.web.server.authentication;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.context.ServerSecurityContextRepository;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class AuthenticationWebFilter implements WebFilter {
/**
* Creates an authentication web filter.
*
* @param authenticationManager the reactive authentication manager
*/
public AuthenticationWebFilter(ReactiveAuthenticationManager authenticationManager);
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
/**
* Sets the authentication converter.
*/
public void setServerAuthenticationConverter(ServerAuthenticationConverter authenticationConverter);
/**
* Sets the authentication success handler.
*/
public void setAuthenticationSuccessHandler(
ServerAuthenticationSuccessHandler authenticationSuccessHandler);
/**
* Sets the authentication failure handler.
*/
public void setAuthenticationFailureHandler(
ServerAuthenticationFailureHandler authenticationFailureHandler);
/**
* Sets the security context repository.
*/
public void setSecurityContextRepository(ServerSecurityContextRepository securityContextRepository);
/**
* Sets the request matcher.
*/
public void setRequiresAuthenticationMatcher(ServerWebExchangeMatcher requiresAuthenticationMatcher);
}Handles successful authentication in reactive applications.
package org.springframework.security.web.server.authentication;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.WebFilterExchange;
import reactor.core.publisher.Mono;
public interface ServerAuthenticationSuccessHandler {
/**
* Called when authentication succeeds.
*
* @param webFilterExchange the web filter exchange containing the exchange and chain
* @param authentication the authenticated user
* @return Mono<Void> to complete
*/
Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange,
Authentication authentication);
}Handles failed authentication in reactive applications.
package org.springframework.security.web.server.authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerAuthenticationFailureHandler {
/**
* Called when authentication fails.
*
* @param webFilterExchange the web filter exchange
* @param exception the authentication exception
* @return Mono<Void> to complete
*/
Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange,
AuthenticationException exception);
}Redirects to a specified location on successful authentication.
package org.springframework.security.web.server.authentication;
import java.net.URI;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class RedirectServerAuthenticationSuccessHandler implements ServerAuthenticationSuccessHandler {
public static final String DEFAULT_LOCATION = "/";
/**
* Creates a handler that redirects to default location (/).
*/
public RedirectServerAuthenticationSuccessHandler();
/**
* Creates a handler that redirects to the specified location.
*
* @param location the redirect location
*/
public RedirectServerAuthenticationSuccessHandler(String location);
/**
* Sets the redirect location.
*
* @param location the redirect location
*/
public void setLocation(URI location);
public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange,
Authentication authentication);
}Redirects to a specified location on failed authentication.
package org.springframework.security.web.server.authentication;
import java.net.URI;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.WebFilterExchange;
import reactor.core.publisher.Mono;
public class RedirectServerAuthenticationFailureHandler implements ServerAuthenticationFailureHandler {
public static final String DEFAULT_FAILURE_URL = "/login?error";
/**
* Creates a handler that redirects to default failure URL.
*/
public RedirectServerAuthenticationFailureHandler();
/**
* Creates a handler that redirects to the specified location.
*
* @param location the redirect location
*/
public RedirectServerAuthenticationFailureHandler(String location);
/**
* Sets the redirect location.
*
* @param location the redirect location
*/
public void setLocation(URI location);
public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange,
AuthenticationException exception);
}Continues the filter chain on successful authentication.
package org.springframework.security.web.server.authentication;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.WebFilterExchange;
import reactor.core.publisher.Mono;
public class WebFilterChainServerAuthenticationSuccessHandler implements ServerAuthenticationSuccessHandler {
/**
* Creates a handler that continues the filter chain.
*/
public WebFilterChainServerAuthenticationSuccessHandler();
public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange,
Authentication authentication);
}Delegates to multiple ServerAuthenticationSuccessHandler instances (Since 5.2).
package org.springframework.security.web.server.authentication;
import java.util.List;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.WebFilterExchange;
import reactor.core.publisher.Mono;
public class DelegatingServerAuthenticationSuccessHandler implements ServerAuthenticationSuccessHandler {
/**
* Creates a delegating handler.
*
* @param delegates the list of success handlers to delegate to
*/
public DelegatingServerAuthenticationSuccessHandler(
ServerAuthenticationSuccessHandler... delegates);
/**
* Creates a delegating handler from a list.
*
* @param delegates the list of success handlers
*/
public DelegatingServerAuthenticationSuccessHandler(
List<ServerAuthenticationSuccessHandler> delegates);
public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange,
Authentication authentication);
}Delegates authentication failures to a ServerAuthenticationEntryPoint.
package org.springframework.security.web.server.authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.WebFilterExchange;
import reactor.core.publisher.Mono;
public class ServerAuthenticationEntryPointFailureHandler implements ServerAuthenticationFailureHandler {
/**
* Creates a failure handler that delegates to an entry point.
*
* @param authenticationEntryPoint the entry point to delegate to
*/
public ServerAuthenticationEntryPointFailureHandler(
ServerAuthenticationEntryPoint authenticationEntryPoint);
public Mono<Void> onAuthenticationFailure(WebFilterExchange webFilterExchange,
AuthenticationException exception);
}Commences an authentication scheme in reactive applications.
package org.springframework.security.web.server;
import org.springframework.security.core.AuthenticationException;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerAuthenticationEntryPoint {
/**
* Commences an authentication scheme.
*
* @param exchange the server web exchange
* @param authException the authentication exception
* @return Mono<Void> to complete
*/
Mono<Void> commence(ServerWebExchange exchange, AuthenticationException authException);
}Redirects to a specified location to commence authentication.
package org.springframework.security.web.server.authentication;
import java.net.URI;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class RedirectServerAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
/**
* Creates an entry point that redirects to the specified location.
*
* @param location the redirect location
*/
public RedirectServerAuthenticationEntryPoint(String location);
/**
* Sets the redirect location.
*
* @param location the redirect location
*/
public void setLocation(URI location);
public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException authException);
}Returns a specific HTTP status code to commence authentication (Since 5.2).
package org.springframework.security.web.server.authentication;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class HttpStatusServerEntryPoint implements ServerAuthenticationEntryPoint {
/**
* Creates an entry point that returns the specified HTTP status.
*
* @param httpStatus the HTTP status to return
*/
public HttpStatusServerEntryPoint(HttpStatus httpStatus);
public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException authException);
}Commences HTTP Basic authentication.
package org.springframework.security.web.server.authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class HttpBasicServerAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
/**
* Creates an HTTP Basic authentication entry point.
*/
public HttpBasicServerAuthenticationEntryPoint();
/**
* Sets the realm name for the WWW-Authenticate header.
*
* @param realm the realm name
*/
public void setRealm(String realm);
public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException authException);
}Delegates to different entry points based on request matchers.
package org.springframework.security.web.server.authentication;
import java.util.List;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class DelegatingServerAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
/**
* Entry point with associated matcher.
*/
public static class DelegateEntry {
/**
* Creates a delegate entry.
*
* @param matcher the request matcher
* @param entryPoint the entry point to delegate to
*/
public DelegateEntry(ServerWebExchangeMatcher matcher,
ServerAuthenticationEntryPoint entryPoint);
public ServerWebExchangeMatcher getMatcher();
public ServerAuthenticationEntryPoint getEntryPoint();
}
/**
* Creates a delegating entry point.
*
* @param entryPoints the list of delegate entries
*/
public DelegatingServerAuthenticationEntryPoint(List<DelegateEntry> entryPoints);
/**
* Creates a delegating entry point with a default entry point.
*
* @param entryPoints the list of delegate entries
*/
public DelegatingServerAuthenticationEntryPoint(DelegateEntry... entryPoints);
/**
* Sets the default entry point if no matcher matches.
*
* @param defaultEntryPoint the default entry point
*/
public void setDefaultEntryPoint(ServerAuthenticationEntryPoint defaultEntryPoint);
public Mono<Void> commence(ServerWebExchange exchange, AuthenticationException authException);
}Reactive authorization filter.
package org.springframework.security.web.server.authorization;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class AuthorizationWebFilter implements WebFilter {
/**
* Creates an authorization web filter.
*
* @param accessDecisionManager the authorization manager
*/
public AuthorizationWebFilter(
ReactiveAuthorizationManager<AuthorizationContext> accessDecisionManager);
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
}Provides context for authorization decisions in reactive applications.
package org.springframework.security.web.server.authorization;
import java.util.Map;
import org.springframework.web.server.ServerWebExchange;
public class AuthorizationContext {
/**
* Creates an authorization context.
*
* @param exchange the server web exchange
*/
public AuthorizationContext(ServerWebExchange exchange);
/**
* Creates an authorization context with variables.
*
* @param exchange the server web exchange
* @param variables the variables extracted from the exchange
*/
public AuthorizationContext(ServerWebExchange exchange, Map<String, Object> variables);
/**
* Gets the ServerWebExchange.
*
* @return the server web exchange
*/
public ServerWebExchange getExchange();
/**
* Gets the variables extracted from the exchange.
*
* @return the variables map
*/
public Map<String, Object> getVariables();
}Handles access denied in reactive applications.
package org.springframework.security.web.server.authorization;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerAccessDeniedHandler {
/**
* Handles access denied.
*
* @param exchange the server web exchange
* @param denied the access denied exception
* @return Mono<Void> to complete
*/
Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException denied);
}Returns HTTP status on access denied.
package org.springframework.security.web.server.authorization;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class HttpStatusServerAccessDeniedHandler implements ServerAccessDeniedHandler {
/**
* Creates a handler with HTTP 403 Forbidden.
*/
public HttpStatusServerAccessDeniedHandler();
/**
* Creates a handler with custom HTTP status.
*/
public HttpStatusServerAccessDeniedHandler(HttpStatus httpStatus);
public Mono<Void> handle(ServerWebExchange exchange, AccessDeniedException denied);
}Handles exceptions in reactive security.
package org.springframework.security.web.server.authorization;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class ExceptionTranslationWebFilter implements WebFilter {
/**
* Creates an exception translation filter.
*
* @param authenticationEntryPoint the entry point
*/
public ExceptionTranslationWebFilter(ServerAuthenticationEntryPoint authenticationEntryPoint);
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
/**
* Sets the access denied handler.
*/
public void setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler);
}Manages security context in reactive applications.
package org.springframework.security.web.server.context;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerSecurityContextRepository {
/**
* Saves the security context.
*
* @param exchange the server web exchange
* @param context the security context
* @return Mono<Void> to complete
*/
Mono<Void> save(ServerWebExchange exchange, SecurityContext context);
/**
* Loads the security context.
*
* @param exchange the server web exchange
* @return Mono<SecurityContext>
*/
Mono<SecurityContext> load(ServerWebExchange exchange);
}Stores security context in web session.
package org.springframework.security.web.server.context;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class WebSessionServerSecurityContextRepository implements ServerSecurityContextRepository {
public static final String DEFAULT_SPRING_SECURITY_CONTEXT_ATTR_NAME =
"SPRING_SECURITY_CONTEXT";
public WebSessionServerSecurityContextRepository();
public Mono<Void> save(ServerWebExchange exchange, SecurityContext context);
public Mono<SecurityContext> load(ServerWebExchange exchange);
/**
* Sets the session attribute name.
*/
public void setSpringSecurityContextAttrName(String springSecurityContextAttrName);
}Does not persist security context (stateless).
package org.springframework.security.web.server.context;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class NoOpServerSecurityContextRepository implements ServerSecurityContextRepository {
public static final NoOpServerSecurityContextRepository INSTANCE =
new NoOpServerSecurityContextRepository();
public Mono<Void> save(ServerWebExchange exchange, SecurityContext context);
public Mono<SecurityContext> load(ServerWebExchange exchange);
}Loads and saves security context for reactive applications.
package org.springframework.security.web.server.context;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class SecurityContextServerWebExchangeWebFilter implements WebFilter {
/**
* Creates a filter with the given repository.
*/
public SecurityContextServerWebExchangeWebFilter(
ServerSecurityContextRepository repository);
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
}Populates the Reactor Context with the SecurityContext (Since 5.2).
package org.springframework.security.web.server.context;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class ReactorContextWebFilter implements WebFilter {
/**
* Creates a filter with the given repository.
*
* @param repository the security context repository
*/
public ReactorContextWebFilter(ServerSecurityContextRepository repository);
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
}Manages CSRF tokens in reactive applications.
package org.springframework.security.web.server.csrf;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerCsrfTokenRepository {
/**
* Generates a CSRF token.
*
* @param exchange the server web exchange
* @return Mono<CsrfToken>
*/
Mono<CsrfToken> generateToken(ServerWebExchange exchange);
/**
* Saves a CSRF token.
*
* @param exchange the server web exchange
* @param token the CSRF token
* @return Mono<Void> to complete
*/
Mono<Void> saveToken(ServerWebExchange exchange, CsrfToken token);
/**
* Loads a CSRF token.
*
* @param exchange the server web exchange
* @return Mono<CsrfToken>
*/
Mono<CsrfToken> loadToken(ServerWebExchange exchange);
}Stores CSRF tokens in web session.
package org.springframework.security.web.server.csrf;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class WebSessionServerCsrfTokenRepository implements ServerCsrfTokenRepository {
public static final String DEFAULT_CSRF_PARAMETER_NAME = "_csrf";
public static final String DEFAULT_CSRF_HEADER_NAME = "X-CSRF-TOKEN";
public WebSessionServerCsrfTokenRepository();
public Mono<CsrfToken> generateToken(ServerWebExchange exchange);
public Mono<Void> saveToken(ServerWebExchange exchange, CsrfToken token);
public Mono<CsrfToken> loadToken(ServerWebExchange exchange);
public void setParameterName(String parameterName);
public void setHeaderName(String headerName);
public void setSessionAttributeName(String sessionAttributeName);
}Stores CSRF tokens in cookies (Since 5.1).
package org.springframework.security.web.server.csrf;
import org.springframework.http.ResponseCookie;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class CookieServerCsrfTokenRepository implements ServerCsrfTokenRepository {
public static final String DEFAULT_CSRF_COOKIE_NAME = "XSRF-TOKEN";
public static final String DEFAULT_CSRF_PARAMETER_NAME = "_csrf";
public static final String DEFAULT_CSRF_HEADER_NAME = "X-XSRF-TOKEN";
/**
* Creates a cookie-based CSRF token repository.
*/
public CookieServerCsrfTokenRepository();
/**
* Factory method to create an instance with defaults.
*
* @return a new CookieServerCsrfTokenRepository
*/
public static CookieServerCsrfTokenRepository withHttpOnlyFalse();
public Mono<CsrfToken> generateToken(ServerWebExchange exchange);
public Mono<Void> saveToken(ServerWebExchange exchange, CsrfToken token);
public Mono<CsrfToken> loadToken(ServerWebExchange exchange);
/**
* Sets the name of the cookie to use.
*
* @param cookieName the cookie name
*/
public void setCookieName(String cookieName);
/**
* Sets the parameter name for CSRF token.
*
* @param parameterName the parameter name
*/
public void setParameterName(String parameterName);
/**
* Sets the header name for CSRF token.
*
* @param headerName the header name
*/
public void setHeaderName(String headerName);
/**
* Sets the cookie customizer for additional cookie configuration.
*
* @param cookieCustomizer the cookie customizer function
*/
public void setCookieCustomizer(java.util.function.Consumer<ResponseCookie.ResponseCookieBuilder> cookieCustomizer);
}Handles CSRF token resolution and validation (Since 5.8).
package org.springframework.security.web.server.csrf;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerCsrfTokenRequestHandler {
/**
* Handles the CSRF token for the request.
*
* @param exchange the server web exchange
* @param csrfToken the CSRF token
* @return Mono<Void> to complete
*/
Mono<Void> handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken);
/**
* Resolves the CSRF token value from the request.
*
* @param exchange the server web exchange
* @return Mono<String> containing the token value
*/
Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken);
}Applies CSRF protection in reactive applications.
package org.springframework.security.web.server.csrf;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class CsrfWebFilter implements WebFilter {
/**
* Creates a CSRF web filter.
*/
public CsrfWebFilter();
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
/**
* Sets the CSRF token repository.
*/
public void setCsrfTokenRepository(ServerCsrfTokenRepository csrfTokenRepository);
/**
* Sets the access denied handler.
*/
public void setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler);
/**
* Sets the request matcher for protected requests.
*/
public void setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsrfProtectionMatcher);
/**
* Sets the request handler for CSRF tokens.
*/
public void setRequestHandler(ServerCsrfTokenRequestHandler requestHandler);
}Clears CSRF token on logout.
package org.springframework.security.web.server.csrf;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.authentication.logout.ServerLogoutHandler;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class CsrfServerLogoutHandler implements ServerLogoutHandler {
/**
* Creates a CSRF logout handler with the given repository.
*
* @param csrfTokenRepository the CSRF token repository
*/
public CsrfServerLogoutHandler(ServerCsrfTokenRepository csrfTokenRepository);
public Mono<Void> logout(ServerWebExchange exchange, Authentication authentication);
}Handles logout operations in reactive applications.
package org.springframework.security.web.server.authentication.logout;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerLogoutHandler {
/**
* Called to perform logout.
*
* @param exchange the server web exchange
* @param authentication the authentication
* @return Mono<Void> to complete
*/
Mono<Void> logout(ServerWebExchange exchange, Authentication authentication);
}Clears security context on logout.
package org.springframework.security.web.server.authentication.logout;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class SecurityContextServerLogoutHandler implements ServerLogoutHandler {
public SecurityContextServerLogoutHandler();
public Mono<Void> logout(ServerWebExchange exchange, Authentication authentication);
}Invalidates the web session on logout.
package org.springframework.security.web.server.authentication.logout;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class WebSessionServerLogoutHandler implements ServerLogoutHandler {
/**
* Creates a web session logout handler.
*/
public WebSessionServerLogoutHandler();
public Mono<Void> logout(ServerWebExchange exchange, Authentication authentication);
}Delegates to multiple ServerLogoutHandler instances (Since 5.1).
package org.springframework.security.web.server.authentication.logout;
import java.util.List;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class DelegatingServerLogoutHandler implements ServerLogoutHandler {
/**
* Creates a delegating logout handler.
*
* @param delegates the logout handlers to delegate to
*/
public DelegatingServerLogoutHandler(ServerLogoutHandler... delegates);
/**
* Creates a delegating logout handler from a list.
*
* @param delegates the list of logout handlers
*/
public DelegatingServerLogoutHandler(List<ServerLogoutHandler> delegates);
public Mono<Void> logout(ServerWebExchange exchange, Authentication authentication);
}Handles successful logout in reactive applications.
package org.springframework.security.web.server.authentication.logout;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerLogoutSuccessHandler {
/**
* Called when logout succeeds.
*
* @param exchange the server web exchange
* @param authentication the authentication
* @return Mono<Void> to complete
*/
Mono<Void> onLogoutSuccess(ServerWebExchange exchange, Authentication authentication);
}Redirects to a specified location on successful logout.
package org.springframework.security.web.server.authentication.logout;
import java.net.URI;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class RedirectServerLogoutSuccessHandler implements ServerLogoutSuccessHandler {
public static final String DEFAULT_LOGOUT_SUCCESS_URL = "/login?logout";
/**
* Creates a handler that redirects to default logout success URL.
*/
public RedirectServerLogoutSuccessHandler();
/**
* Sets the logout success URL.
*
* @param logoutSuccessUrl the logout success URL
*/
public void setLogoutSuccessUrl(URI logoutSuccessUrl);
public Mono<Void> onLogoutSuccess(ServerWebExchange exchange, Authentication authentication);
}Returns a specific HTTP status on successful logout (Since 5.1).
package org.springframework.security.web.server.authentication.logout;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class HttpStatusReturningServerLogoutSuccessHandler implements ServerLogoutSuccessHandler {
/**
* Creates a handler that returns HTTP 200 OK.
*/
public HttpStatusReturningServerLogoutSuccessHandler();
/**
* Creates a handler that returns the specified HTTP status.
*
* @param httpStatus the HTTP status to return
*/
public HttpStatusReturningServerLogoutSuccessHandler(HttpStatus httpStatus);
public Mono<Void> onLogoutSuccess(ServerWebExchange exchange, Authentication authentication);
}Processes logout requests in reactive applications.
package org.springframework.security.web.server.authentication.logout;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class LogoutWebFilter implements WebFilter {
/**
* Creates a logout web filter.
*/
public LogoutWebFilter();
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
/**
* Sets the logout handler.
*/
public void setLogoutHandler(ServerLogoutHandler logoutHandler);
/**
* Sets the logout success handler.
*/
public void setLogoutSuccessHandler(ServerLogoutSuccessHandler logoutSuccessHandler);
/**
* Sets the request matcher for logout.
*/
public void setRequiresLogoutMatcher(ServerWebExchangeMatcher requiresLogoutMatcher);
}Matches server web exchanges in reactive applications.
package org.springframework.security.web.server.util.matcher;
import java.util.Map;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerWebExchangeMatcher {
/**
* Determines if the exchange matches.
*
* @param exchange the server web exchange
* @return Mono<MatchResult>
*/
Mono<MatchResult> matches(ServerWebExchange exchange);
/**
* Result of a match operation.
*/
interface MatchResult {
boolean isMatch();
Map<String, Object> getVariables();
static MatchResult match();
static MatchResult match(Map<String, Object> variables);
static MatchResult notMatch();
}
}Associates a ServerWebExchangeMatcher with a value for delegating operations.
package org.springframework.security.web.server.util.matcher;
public final class ServerWebExchangeMatcherEntry<T> {
/**
* Creates a server web exchange matcher entry.
*
* @param matcher the server web exchange matcher
* @param entry the associated value
*/
public ServerWebExchangeMatcherEntry(ServerWebExchangeMatcher matcher, T entry);
/**
* Gets the server web exchange matcher.
*
* @return the matcher
*/
public ServerWebExchangeMatcher getMatcher();
/**
* Gets the associated entry value.
*
* @return the entry value
*/
public T getEntry();
}Matches using path patterns.
package org.springframework.security.web.server.util.matcher;
import org.springframework.http.HttpMethod;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public final class PathPatternParserServerWebExchangeMatcher implements ServerWebExchangeMatcher {
/**
* Creates a matcher for any HTTP method.
*/
public PathPatternParserServerWebExchangeMatcher(String pattern);
/**
* Creates a matcher for specific HTTP method.
*/
public PathPatternParserServerWebExchangeMatcher(String pattern, HttpMethod httpMethod);
public Mono<MatchResult> matches(ServerWebExchange exchange);
}Matches if all delegate matchers match.
package org.springframework.security.web.server.util.matcher;
import java.util.List;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class AndServerWebExchangeMatcher implements ServerWebExchangeMatcher {
/**
* Creates an AND matcher.
*
* @param matchers the list of matchers
*/
public AndServerWebExchangeMatcher(List<ServerWebExchangeMatcher> matchers);
/**
* Creates an AND matcher from varargs.
*/
public AndServerWebExchangeMatcher(ServerWebExchangeMatcher... matchers);
public Mono<MatchResult> matches(ServerWebExchange exchange);
}Matches if any delegate matcher matches.
package org.springframework.security.web.server.util.matcher;
import java.util.List;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class OrServerWebExchangeMatcher implements ServerWebExchangeMatcher {
/**
* Creates an OR matcher.
*
* @param matchers the list of matchers
*/
public OrServerWebExchangeMatcher(List<ServerWebExchangeMatcher> matchers);
/**
* Creates an OR matcher from varargs.
*/
public OrServerWebExchangeMatcher(ServerWebExchangeMatcher... matchers);
public Mono<MatchResult> matches(ServerWebExchange exchange);
}Negates the result of another matcher.
package org.springframework.security.web.server.util.matcher;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class NegatedServerWebExchangeMatcher implements ServerWebExchangeMatcher {
/**
* Creates a negated matcher.
*
* @param matcher the matcher to negate
*/
public NegatedServerWebExchangeMatcher(ServerWebExchangeMatcher matcher);
public Mono<MatchResult> matches(ServerWebExchange exchange);
}Matches requests based on Accept or Content-Type headers.
package org.springframework.security.web.server.util.matcher;
import java.util.Set;
import org.springframework.http.MediaType;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class MediaTypeServerWebExchangeMatcher implements ServerWebExchangeMatcher {
/**
* Creates a matcher for media types.
*
* @param mediaTypes the media types to match
*/
public MediaTypeServerWebExchangeMatcher(MediaType... mediaTypes);
public Mono<MatchResult> matches(ServerWebExchange exchange);
/**
* Sets media types to ignore during matching.
*
* @param ignoredMediaTypes the media types to ignore
*/
public void setIgnoredMediaTypes(Set<MediaType> ignoredMediaTypes);
/**
* Sets whether to use equals for comparison (default: false).
*
* @param useEquals true to use equals comparison
*/
public void setUseEquals(boolean useEquals);
}Caches requests for later retrieval in reactive applications.
package org.springframework.security.web.server.savedrequest;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerRequestCache {
/**
* Saves the current request.
*
* @param exchange the server web exchange
* @return Mono<Void> to complete
*/
Mono<Void> saveRequest(ServerWebExchange exchange);
/**
* Gets the saved request.
*
* @param exchange the server web exchange
* @return Mono containing the saved request URI
*/
Mono<java.net.URI> getRedirectUri(ServerWebExchange exchange);
/**
* Removes the saved request.
*
* @param exchange the server web exchange
* @return Mono<Void> to complete
*/
Mono<Void> removeMatchingRequest(ServerWebExchange exchange);
}Stores saved requests in web session.
package org.springframework.security.web.server.savedrequest;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class WebSessionServerRequestCache implements ServerRequestCache {
/**
* Creates a web session request cache.
*/
public WebSessionServerRequestCache();
public Mono<Void> saveRequest(ServerWebExchange exchange);
public Mono<java.net.URI> getRedirectUri(ServerWebExchange exchange);
public Mono<Void> removeMatchingRequest(ServerWebExchange exchange);
/**
* Sets the session attribute name.
*
* @param sessionAttrName the session attribute name
*/
public void setSessionAttrName(String sessionAttrName);
}Stores saved requests in cookies (Since 5.1).
package org.springframework.security.web.server.savedrequest;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class CookieServerRequestCache implements ServerRequestCache {
/**
* Creates a cookie-based request cache.
*/
public CookieServerRequestCache();
public Mono<Void> saveRequest(ServerWebExchange exchange);
public Mono<java.net.URI> getRedirectUri(ServerWebExchange exchange);
public Mono<Void> removeMatchingRequest(ServerWebExchange exchange);
}Filter that saves requests using a ServerRequestCache.
package org.springframework.security.web.server.savedrequest;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class ServerRequestCacheWebFilter implements WebFilter {
/**
* Creates a filter with the given request cache.
*
* @param requestCache the server request cache
*/
public ServerRequestCacheWebFilter(ServerRequestCache requestCache);
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
}Interface for writing HTTP security headers in reactive applications.
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerHttpHeadersWriter {
/**
* Writes headers to the response.
*
* @param exchange the server web exchange
* @return Mono<Void> to complete
*/
Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
}WebFilter that applies ServerHttpHeadersWriter instances.
package org.springframework.security.web.server.header;
import java.util.List;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class HttpHeaderWriterWebFilter implements WebFilter {
/**
* Creates a filter with the given header writers.
*
* @param writers the list of header writers
*/
public HttpHeaderWriterWebFilter(List<ServerHttpHeadersWriter> writers);
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
}Writes static HTTP headers to the response.
package org.springframework.security.web.server.header;
import org.springframework.http.HttpHeaders;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class StaticServerHttpHeadersWriter implements ServerHttpHeadersWriter {
/**
* Creates a static header writer.
*
* @param headerName the header name
* @param headerValues the header values
*/
public StaticServerHttpHeadersWriter(String headerName, String... headerValues);
/**
* Creates a static header writer from HttpHeaders.
*
* @param headers the HTTP headers
*/
public StaticServerHttpHeadersWriter(HttpHeaders headers);
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
}Writes X-Content-Type-Options header to prevent MIME sniffing.
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class ContentTypeOptionsServerHttpHeadersWriter implements ServerHttpHeadersWriter {
/**
* Creates a content type options header writer.
*/
public ContentTypeOptionsServerHttpHeadersWriter();
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
}Writes X-Frame-Options header to prevent clickjacking.
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class XFrameOptionsServerHttpHeadersWriter implements ServerHttpHeadersWriter {
/**
* Mode for X-Frame-Options header.
*/
public enum Mode {
DENY,
SAMEORIGIN
}
/**
* Creates an X-Frame-Options header writer with DENY mode.
*/
public XFrameOptionsServerHttpHeadersWriter();
/**
* Creates an X-Frame-Options header writer with the specified mode.
*
* @param mode the X-Frame-Options mode
*/
public XFrameOptionsServerHttpHeadersWriter(Mode mode);
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
/**
* Sets the X-Frame-Options mode.
*
* @param mode the mode
*/
public void setMode(Mode mode);
}Writes X-XSS-Protection header.
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class XXssProtectionServerHttpHeadersWriter implements ServerHttpHeadersWriter {
/**
* Creates an X-XSS-Protection header writer.
*/
public XXssProtectionServerHttpHeadersWriter();
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
/**
* Sets whether XSS protection is enabled (default: true).
*
* @param enabled true to enable XSS protection
*/
public void setEnabled(boolean enabled);
/**
* Sets whether to use block mode (default: true).
*
* @param block true to enable block mode
*/
public void setBlock(boolean block);
}Combines multiple ServerHttpHeadersWriter instances into a single instance (since 5.0).
package org.springframework.security.web.server.header;
import java.util.List;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class CompositeServerHttpHeadersWriter implements ServerHttpHeadersWriter {
/**
* Creates a composite header writer from varargs.
*
* @param writers the header writers to combine
*/
public CompositeServerHttpHeadersWriter(ServerHttpHeadersWriter... writers);
/**
* Creates a composite header writer from a list.
*
* @param writers the list of header writers
*/
public CompositeServerHttpHeadersWriter(List<ServerHttpHeadersWriter> writers);
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
}Writes Clear-Site-Data header when the request is secure (since 5.2).
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public final class ClearSiteDataServerHttpHeadersWriter implements ServerHttpHeadersWriter {
public static final String CLEAR_SITE_DATA_HEADER = "Clear-Site-Data";
/**
* Directive values for Clear-Site-Data header.
*/
public enum Directive {
CACHE,
COOKIES,
STORAGE,
EXECUTION_CONTEXTS,
ALL
}
/**
* Creates a Clear-Site-Data header writer with the specified directives.
*
* @param directives the directives to include
*/
public ClearSiteDataServerHttpHeadersWriter(Directive... directives);
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
}Writes Permissions-Policy header with configured policy directives (since 5.5).
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public final class PermissionsPolicyServerHttpHeadersWriter implements ServerHttpHeadersWriter {
public static final String PERMISSIONS_POLICY = "Permissions-Policy";
/**
* Creates a Permissions-Policy header writer.
*/
public PermissionsPolicyServerHttpHeadersWriter();
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
/**
* Sets the policy to be used in the response header.
*
* @param policy the policy directives string
*/
public void setPolicy(String policy);
}Writes Referrer-Policy header (since 5.1).
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public final class ReferrerPolicyServerHttpHeadersWriter implements ServerHttpHeadersWriter {
public static final String REFERRER_POLICY = "Referrer-Policy";
/**
* Referrer policy values.
*/
public enum ReferrerPolicy {
NO_REFERRER,
NO_REFERRER_WHEN_DOWNGRADE,
SAME_ORIGIN,
ORIGIN,
STRICT_ORIGIN,
ORIGIN_WHEN_CROSS_ORIGIN,
STRICT_ORIGIN_WHEN_CROSS_ORIGIN,
UNSAFE_URL
}
/**
* Creates a Referrer-Policy header writer with NO_REFERRER default.
*/
public ReferrerPolicyServerHttpHeadersWriter();
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
/**
* Sets the referrer policy.
*
* @param policy the policy
*/
public void setPolicy(ReferrerPolicy policy);
}Writes Cross-Origin-Resource-Policy (CORP) header (since 5.7).
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public final class CrossOriginResourcePolicyServerHttpHeadersWriter implements ServerHttpHeadersWriter {
/**
* CORP policy values.
*/
public enum CrossOriginResourcePolicy {
SAME_SITE,
SAME_ORIGIN,
CROSS_ORIGIN
}
/**
* Creates a CORP header writer.
*/
public CrossOriginResourcePolicyServerHttpHeadersWriter();
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
/**
* Sets the policy.
*
* @param policy the policy
*/
public void setPolicy(CrossOriginResourcePolicy policy);
}Writes Cross-Origin-Opener-Policy (COOP) header (since 5.7).
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public final class CrossOriginOpenerPolicyServerHttpHeadersWriter implements ServerHttpHeadersWriter {
/**
* COOP policy values.
*/
public enum CrossOriginOpenerPolicy {
UNSAFE_NONE,
SAME_ORIGIN_ALLOW_POPUPS,
SAME_ORIGIN
}
/**
* Creates a COOP header writer.
*/
public CrossOriginOpenerPolicyServerHttpHeadersWriter();
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
/**
* Sets the policy.
*
* @param policy the policy
*/
public void setPolicy(CrossOriginOpenerPolicy policy);
}Writes Cross-Origin-Embedder-Policy (COEP) header (since 5.7).
package org.springframework.security.web.server.header;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public final class CrossOriginEmbedderPolicyServerHttpHeadersWriter implements ServerHttpHeadersWriter {
/**
* COEP policy values.
*/
public enum CrossOriginEmbedderPolicy {
UNSAFE_NONE,
REQUIRE_CORP,
CREDENTIALLESS
}
/**
* Creates a COEP header writer.
*/
public CrossOriginEmbedderPolicyServerHttpHeadersWriter();
public Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
/**
* Sets the policy.
*
* @param policy the policy
*/
public void setPolicy(CrossOriginEmbedderPolicy policy);
}Generates a default login page for reactive applications.
package org.springframework.security.web.server.ui;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class LoginPageGeneratingWebFilter implements WebFilter {
/**
* Creates a login page generating filter.
*/
public LoginPageGeneratingWebFilter();
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
/**
* Sets whether form login is enabled.
*
* @param formLoginEnabled true to enable form login
*/
public void setFormLoginEnabled(boolean formLoginEnabled);
/**
* Sets whether OAuth2 login is enabled.
*
* @param oauth2AuthenticationEnabled true to enable OAuth2 login
*/
public void setOauth2AuthenticationEnabled(boolean oauth2AuthenticationEnabled);
}Generates a default logout page for reactive applications.
package org.springframework.security.web.server.ui;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
public class LogoutPageGeneratingWebFilter implements WebFilter {
/**
* Creates a logout page generating filter.
*/
public LogoutPageGeneratingWebFilter();
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain);
}Resolves one-time token generation requests in reactive applications (Since 6.4).
package org.springframework.security.web.server.authentication.ott;
import org.springframework.security.authentication.ott.GenerateOneTimeTokenRequest;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerGenerateOneTimeTokenRequestResolver {
/**
* Resolves a one-time token generation request.
*
* @param exchange the server web exchange
* @return Mono<GenerateOneTimeTokenRequest> or empty
* @since 6.4
*/
Mono<GenerateOneTimeTokenRequest> resolve(ServerWebExchange exchange);
}Handles successful one-time token generation in reactive applications (Since 6.4).
package org.springframework.security.web.server.authentication.ott;
import org.springframework.security.authentication.ott.OneTimeToken;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerOneTimeTokenGenerationSuccessHandler {
/**
* Handles generated one-time tokens.
*
* @param exchange the server web exchange
* @param oneTimeToken the generated token
* @return Mono<Void> to complete
* @since 6.4
*/
Mono<Void> handle(ServerWebExchange exchange, OneTimeToken oneTimeToken);
}Validates and sanitizes server web exchanges (Since 5.1).
package org.springframework.security.web.server.firewall;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public interface ServerWebExchangeFirewall {
/**
* Validates and potentially modifies the exchange.
*
* @param exchange the server web exchange
* @return Mono containing the validated exchange
*/
Mono<ServerWebExchange> getFirewalledExchange(ServerWebExchange exchange);
}Strict firewall implementation that validates requests (Since 5.1).
package org.springframework.security.web.server.firewall;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class StrictServerWebExchangeFirewall implements ServerWebExchangeFirewall {
/**
* Creates a strict firewall with default settings.
*/
public StrictServerWebExchangeFirewall();
public Mono<ServerWebExchange> getFirewalledExchange(ServerWebExchange exchange);
/**
* Sets whether to allow encoded slashes in URLs.
*
* @param allowEncodedSlash true to allow encoded slashes
*/
public void setAllowEncodedSlash(boolean allowEncodedSlash);
/**
* Sets whether to allow backslash in URLs.
*
* @param allowBackSlash true to allow backslash
*/
public void setAllowBackSlash(boolean allowBackSlash);
/**
* Sets whether to allow null characters in URLs.
*
* @param allowNull true to allow null characters
*/
public void setAllowNull(boolean allowNull);
/**
* Sets whether to allow semicolons in URLs.
*
* @param allowSemicolon true to allow semicolons
*/
public void setAllowSemicolon(boolean allowSemicolon);
/**
* Sets whether to allow URL encoded percent in URLs.
*
* @param allowUrlEncodedPercent true to allow encoded percent
*/
public void setAllowUrlEncodedPercent(boolean allowUrlEncodedPercent);
}Exception thrown when a server exchange is rejected by the firewall (Since 5.1).
package org.springframework.security.web.server.firewall;
public class ServerExchangeRejectedException extends RuntimeException {
/**
* Creates an exception with a message.
*
* @param message the error message
*/
public ServerExchangeRejectedException(String message);
/**
* Creates an exception with a message and cause.
*
* @param message the error message
* @param cause the cause
*/
public ServerExchangeRejectedException(String message, Throwable cause);
}import org.springframework.context.annotation.Bean;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
@Configuration
public class ReactiveSecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http
.authorizeExchange(exchanges -> exchanges
.pathMatchers("/public/**").permitAll()
.pathMatchers("/admin/**").hasRole("ADMIN")
.anyExchange().authenticated()
)
.formLogin(formLogin -> formLogin
.loginPage("/login")
)
.csrf(csrf -> csrf
.csrfTokenRepository(new WebSessionServerCsrfTokenRepository())
)
.build();
}
}import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import reactor.core.publisher.Mono;
@Component
public class CustomReactiveAuthenticationManager implements ReactiveAuthenticationManager {
private final ReactiveUserDetailsService userDetailsService;
private final PasswordEncoder passwordEncoder;
@Override
public Mono<Authentication> authenticate(Authentication authentication) {
String username = authentication.getName();
String password = (String) authentication.getCredentials();
return userDetailsService.findByUsername(username)
.filter(user -> passwordEncoder.matches(password, user.getPassword()))
.map(user -> new UsernamePasswordAuthenticationToken(
user, password, user.getAuthorities()
))
.switchIfEmpty(Mono.error(
new BadCredentialsException("Invalid credentials")
));
}
}import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
@RestController
public class ReactiveController {
@GetMapping("/api/users")
@PreAuthorize("hasRole('ADMIN')")
public Flux<User> getAllUsers() {
return userService.findAll();
}
@GetMapping("/api/profile")
public Mono<UserProfile> getProfile(Authentication authentication) {
String username = authentication.getName();
return userService.getProfile(username);
}
}