Class ServerHttpSecurity
- java.lang.Object
- 
- org.springframework.security.config.web.server.ServerHttpSecurity
 
- 
 public class ServerHttpSecurity extends java.lang.ObjectAServerHttpSecurityis similar to Spring Security'sHttpSecuritybut for WebFlux. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted usingsecurityMatcher(ServerWebExchangeMatcher)or other similar methods. A minimal configuration can be found below:@EnableWebFluxSecurity public class MyMinimalSecurityConfiguration { @Bean public MapReactiveUserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new MapReactiveUserDetailsService(user); } }Below is the same as our minimal configuration, but explicitly declaring theServerHttpSecurity.@EnableWebFluxSecurity public class MyExplicitSecurityConfiguration { @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .authorizeExchange() .anyExchange().authenticated() .and() .httpBasic().and() .formLogin(); return http.build(); } @Bean public MapReactiveUserDetailsService userDetailsService() { UserDetails user = User.withDefaultPasswordEncoder() .username("user") .password("password") .roles("USER") .build(); return new MapReactiveUserDetailsService(user); } }- Since:
- 5.0
 
- 
- 
Nested Class SummaryNested Classes Modifier and Type Class Description classServerHttpSecurity.AnonymousSpecConfigures anonymous authenticationclassServerHttpSecurity.AuthorizeExchangeSpecConfigures authorizationclassServerHttpSecurity.CorsSpecConfigures CORS support within Spring Security.classServerHttpSecurity.CsrfSpecConfigures CSRF ProtectionclassServerHttpSecurity.ExceptionHandlingSpecConfigures exception handlingclassServerHttpSecurity.FormLoginSpecConfigures Form Based authenticationclassServerHttpSecurity.HeaderSpecConfigures HTTP Response Headers.classServerHttpSecurity.HttpBasicSpecConfigures HTTP Basic AuthenticationclassServerHttpSecurity.HttpsRedirectSpecConfigures HTTPS redirection rulesclassServerHttpSecurity.LogoutSpecConfigures log outclassServerHttpSecurity.OAuth2ClientSpecclassServerHttpSecurity.OAuth2LoginSpecclassServerHttpSecurity.OAuth2ResourceServerSpecConfigures OAuth2 Resource Server SupportclassServerHttpSecurity.RequestCacheSpecConfigures the request cache which is used when a flow is interrupted (i.e.classServerHttpSecurity.X509SpecConfigures X509 authentication
 - 
Constructor SummaryConstructors Modifier Constructor Description protectedServerHttpSecurity()
 - 
Method SummaryAll Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description ServerHttpSecurityaddFilterAfter(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order)Adds aWebFilterafter specific position.ServerHttpSecurityaddFilterAt(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order)Adds aWebFilterat a specific position.ServerHttpSecurityaddFilterBefore(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order)Adds aWebFilterbefore specific position.ServerHttpSecurity.AnonymousSpecanonymous()Enables and Configures anonymous authentication.ServerHttpSecurityanonymous(Customizer<ServerHttpSecurity.AnonymousSpec> anonymousCustomizer)Enables and Configures anonymous authentication.ServerHttpSecurityauthenticationManager(ReactiveAuthenticationManager manager)Configure the default authentication manager.ServerHttpSecurity.AuthorizeExchangeSpecauthorizeExchange()Configures authorization.ServerHttpSecurityauthorizeExchange(Customizer<ServerHttpSecurity.AuthorizeExchangeSpec> authorizeExchangeCustomizer)Configures authorization.SecurityWebFilterChainbuild()Builds theSecurityWebFilterChainServerHttpSecurity.CorsSpeccors()Configures CORS headers.ServerHttpSecuritycors(Customizer<ServerHttpSecurity.CorsSpec> corsCustomizer)Configures CORS headers.ServerHttpSecurity.CsrfSpeccsrf()Configures CSRF Protection which is enabled by default.ServerHttpSecuritycsrf(Customizer<ServerHttpSecurity.CsrfSpec> csrfCustomizer)Configures CSRF Protection which is enabled by default.ServerHttpSecurity.ExceptionHandlingSpecexceptionHandling()Configures exception handling (i.e.ServerHttpSecurityexceptionHandling(Customizer<ServerHttpSecurity.ExceptionHandlingSpec> exceptionHandlingCustomizer)Configures exception handling (i.e.ServerHttpSecurity.FormLoginSpecformLogin()Configures form based authentication.ServerHttpSecurityformLogin(Customizer<ServerHttpSecurity.FormLoginSpec> formLoginCustomizer)Configures form based authentication.ServerHttpSecurity.HeaderSpecheaders()Configures HTTP Response Headers.ServerHttpSecurityheaders(Customizer<ServerHttpSecurity.HeaderSpec> headerCustomizer)Configures HTTP Response Headers.static ServerHttpSecurityhttp()Creates a new instance.ServerHttpSecurity.HttpBasicSpechttpBasic()Configures HTTP Basic authentication.ServerHttpSecurityhttpBasic(Customizer<ServerHttpSecurity.HttpBasicSpec> httpBasicCustomizer)Configures HTTP Basic authentication.ServerHttpSecurity.LogoutSpeclogout()Configures log out.ServerHttpSecuritylogout(Customizer<ServerHttpSecurity.LogoutSpec> logoutCustomizer)Configures log out.ServerHttpSecurity.OAuth2ClientSpecoauth2Client()Configures the OAuth2 client.ServerHttpSecurityoauth2Client(Customizer<ServerHttpSecurity.OAuth2ClientSpec> oauth2ClientCustomizer)Configures the OAuth2 client.ServerHttpSecurity.OAuth2LoginSpecoauth2Login()Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.ServerHttpSecurityoauth2Login(Customizer<ServerHttpSecurity.OAuth2LoginSpec> oauth2LoginCustomizer)Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.ServerHttpSecurity.OAuth2ResourceServerSpecoauth2ResourceServer()Configures OAuth 2.0 Resource Server support.ServerHttpSecurityoauth2ResourceServer(Customizer<ServerHttpSecurity.OAuth2ResourceServerSpec> oauth2ResourceServerCustomizer)Configures OAuth 2.0 Resource Server support.ServerHttpSecurity.HttpsRedirectSpecredirectToHttps()Configures HTTPS redirection rules.ServerHttpSecurityredirectToHttps(Customizer<ServerHttpSecurity.HttpsRedirectSpec> httpsRedirectCustomizer)Configures HTTPS redirection rules.ServerHttpSecurity.RequestCacheSpecrequestCache()Configures the request cache which is used when a flow is interrupted (i.e.ServerHttpSecurityrequestCache(Customizer<ServerHttpSecurity.RequestCacheSpec> requestCacheCustomizer)Configures the request cache which is used when a flow is interrupted (i.e.ServerHttpSecuritysecurityContextRepository(ServerSecurityContextRepository securityContextRepository)The strategy used withReactorContextWebFilter.ServerHttpSecuritysecurityMatcher(ServerWebExchangeMatcher matcher)The ServerExchangeMatcher that determines which requests apply to this HttpSecurity instance.protected voidsetApplicationContext(org.springframework.context.ApplicationContext applicationContext)ServerHttpSecurity.X509Specx509()Configures x509 authentication using a certificate provided by a client.ServerHttpSecurityx509(Customizer<ServerHttpSecurity.X509Spec> x509Customizer)Configures x509 authentication using a certificate provided by a client.
 
- 
- 
- 
Method Detail- 
securityMatcherpublic ServerHttpSecurity securityMatcher(ServerWebExchangeMatcher matcher) The ServerExchangeMatcher that determines which requests apply to this HttpSecurity instance.- Parameters:
- matcher- the ServerExchangeMatcher that determines which requests apply to this HttpSecurity instance. Default is all requests.
- Returns:
- the ServerHttpSecurityto continue configuring
 
 - 
addFilterAtpublic ServerHttpSecurity addFilterAt(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order) Adds aWebFilterat a specific position.- Parameters:
- webFilter- the- WebFilterto add
- order- the place to insert the- WebFilter
- Returns:
- the ServerHttpSecurityto continue configuring
 
 - 
addFilterBeforepublic ServerHttpSecurity addFilterBefore(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order) Adds aWebFilterbefore specific position.- Parameters:
- webFilter- the- WebFilterto add
- order- the place before which to insert the- WebFilter
- Returns:
- the ServerHttpSecurityto continue configuring
- Since:
- 5.2.0
 
 - 
addFilterAfterpublic ServerHttpSecurity addFilterAfter(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order) Adds aWebFilterafter specific position.- Parameters:
- webFilter- the- WebFilterto add
- order- the place after which to insert the- WebFilter
- Returns:
- the ServerHttpSecurityto continue configuring
- Since:
- 5.2.0
 
 - 
securityContextRepositorypublic ServerHttpSecurity securityContextRepository(ServerSecurityContextRepository securityContextRepository) The strategy used withReactorContextWebFilter. It does impact how theSecurityContextis saved which is configured on a perAuthenticationWebFilterbasis.- Parameters:
- securityContextRepository- the repository to use
- Returns:
- the ServerHttpSecurityto continue configuring
 
 - 
redirectToHttpspublic ServerHttpSecurity.HttpsRedirectSpec redirectToHttps() Configures HTTPS redirection rules. If the default is used:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps(); return http.build(); }Then all non-HTTPS requests will be redirected to HTTPS. Typically, all requests should be HTTPS; however, the focus for redirection can also be narrowed:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps() .httpsRedirectWhen((serverWebExchange) -> serverWebExchange.getRequest().getHeaders().containsKey("X-Requires-Https")) return http.build(); }- Returns:
- the ServerHttpSecurity.HttpsRedirectSpecto customize
 
 - 
redirectToHttpspublic ServerHttpSecurity redirectToHttps(Customizer<ServerHttpSecurity.HttpsRedirectSpec> httpsRedirectCustomizer) Configures HTTPS redirection rules. If the default is used:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps(withDefaults()); return http.build(); }Then all non-HTTPS requests will be redirected to HTTPS. Typically, all requests should be HTTPS; however, the focus for redirection can also be narrowed:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .redirectToHttps((redirectToHttps) -> redirectToHttps .httpsRedirectWhen((serverWebExchange) -> serverWebExchange.getRequest().getHeaders().containsKey("X-Requires-Https")) ); return http.build(); }- Parameters:
- httpsRedirectCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.HttpsRedirectSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
csrfpublic ServerHttpSecurity.CsrfSpec csrf() Configures CSRF Protection which is enabled by default. You can disable it using:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .csrf().disabled(); return http.build(); }Additional configuration options can be seen below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .csrf() // Handle CSRF failures .accessDeniedHandler(accessDeniedHandler) // Custom persistence of CSRF Token .csrfTokenRepository(csrfTokenRepository) // custom matching when CSRF protection is enabled .requireCsrfProtectionMatcher(matcher); return http.build(); }- Returns:
- the ServerHttpSecurity.CsrfSpecto customize
 
 - 
csrfpublic ServerHttpSecurity csrf(Customizer<ServerHttpSecurity.CsrfSpec> csrfCustomizer) Configures CSRF Protection which is enabled by default. You can disable it using:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .csrf((csrf) -> csrf.disabled() ); return http.build(); }Additional configuration options can be seen below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .csrf((csrf) -> csrf // Handle CSRF failures .accessDeniedHandler(accessDeniedHandler) // Custom persistence of CSRF Token .csrfTokenRepository(csrfTokenRepository) // custom matching when CSRF protection is enabled .requireCsrfProtectionMatcher(matcher) ); return http.build(); }- Parameters:
- csrfCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.CsrfSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
corspublic ServerHttpSecurity.CorsSpec cors() Configures CORS headers. By default if aCorsConfigurationSourceBean is found, it will be used to create aCorsWebFilter. IfServerHttpSecurity.CorsSpec.configurationSource(CorsConfigurationSource)is invoked it will be used instead. If neither has been configured, the Cors configuration will do nothing.- Returns:
- the ServerHttpSecurity.CorsSpecto customize
 
 - 
corspublic ServerHttpSecurity cors(Customizer<ServerHttpSecurity.CorsSpec> corsCustomizer) Configures CORS headers. By default if aCorsConfigurationSourceBean is found, it will be used to create aCorsWebFilter. IfServerHttpSecurity.CorsSpec.configurationSource(CorsConfigurationSource)is invoked it will be used instead. If neither has been configured, the Cors configuration will do nothing.- Parameters:
- corsCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.CorsSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
anonymouspublic ServerHttpSecurity.AnonymousSpec anonymous() Enables and Configures anonymous authentication. Anonymous Authentication is disabled by default.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .anonymous().key("key") .authorities("ROLE_ANONYMOUS"); return http.build(); }- Returns:
- the ServerHttpSecurity.AnonymousSpecto customize
- Since:
- 5.2.0
 
 - 
anonymouspublic ServerHttpSecurity anonymous(Customizer<ServerHttpSecurity.AnonymousSpec> anonymousCustomizer) Enables and Configures anonymous authentication. Anonymous Authentication is disabled by default.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .anonymous((anonymous) -> anonymous .key("key") .authorities("ROLE_ANONYMOUS") ); return http.build(); }- Parameters:
- anonymousCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.AnonymousSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
httpBasicpublic ServerHttpSecurity.HttpBasicSpec httpBasic() Configures HTTP Basic authentication. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .httpBasic() // used for authenticating the credentials .authenticationManager(authenticationManager) // Custom persistence of the authentication .securityContextRepository(securityContextRepository); return http.build(); }- Returns:
- the ServerHttpSecurity.HttpBasicSpecto customize
 
 - 
httpBasicpublic ServerHttpSecurity httpBasic(Customizer<ServerHttpSecurity.HttpBasicSpec> httpBasicCustomizer) Configures HTTP Basic authentication. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .httpBasic((httpBasic) -> httpBasic // used for authenticating the credentials .authenticationManager(authenticationManager) // Custom persistence of the authentication .securityContextRepository(securityContextRepository) ); return http.build(); }- Parameters:
- httpBasicCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.HttpBasicSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
formLoginpublic ServerHttpSecurity.FormLoginSpec formLogin() Configures form based authentication. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .formLogin() // used for authenticating the credentials .authenticationManager(authenticationManager) // Custom persistence of the authentication .securityContextRepository(securityContextRepository) // expect a log in page at "/authenticate" // a POST "/authenticate" is where authentication occurs // error page at "/authenticate?error" .loginPage("/authenticate"); return http.build(); }- Returns:
- the ServerHttpSecurity.FormLoginSpecto customize
 
 - 
formLoginpublic ServerHttpSecurity formLogin(Customizer<ServerHttpSecurity.FormLoginSpec> formLoginCustomizer) Configures form based authentication. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .formLogin((formLogin) -> formLogin // used for authenticating the credentials .authenticationManager(authenticationManager) // Custom persistence of the authentication .securityContextRepository(securityContextRepository) // expect a log in page at "/authenticate" // a POST "/authenticate" is where authentication occurs // error page at "/authenticate?error" .loginPage("/authenticate") ); return http.build(); }- Parameters:
- formLoginCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.FormLoginSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
x509public ServerHttpSecurity.X509Spec x509() Configures x509 authentication using a certificate provided by a client.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .x509() .authenticationManager(authenticationManager) .principalExtractor(principalExtractor); return http.build(); }Note that if extractor is not specified,SubjectDnX509PrincipalExtractorwill be used. If authenticationManager is not specified,ReactivePreAuthenticatedAuthenticationManagerwill be used.- Returns:
- the ServerHttpSecurity.X509Specto customize
- Since:
- 5.2
 
 - 
x509public ServerHttpSecurity x509(Customizer<ServerHttpSecurity.X509Spec> x509Customizer) Configures x509 authentication using a certificate provided by a client.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http .x509((x509) -> x509 .authenticationManager(authenticationManager) .principalExtractor(principalExtractor) ); return http.build(); }Note that if extractor is not specified,SubjectDnX509PrincipalExtractorwill be used. If authenticationManager is not specified,ReactivePreAuthenticatedAuthenticationManagerwill be used.- Parameters:
- x509Customizer- the- Customizerto provide more options for the- ServerHttpSecurity.X509Spec
- Returns:
- the ServerHttpSecurityto customize
- Since:
- 5.2
 
 - 
oauth2Loginpublic ServerHttpSecurity.OAuth2LoginSpec oauth2Login() Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2Login() .authenticationConverter(authenticationConverter) .authenticationManager(manager); return http.build(); }- Returns:
- the ServerHttpSecurity.OAuth2LoginSpecto customize
 
 - 
oauth2Loginpublic ServerHttpSecurity oauth2Login(Customizer<ServerHttpSecurity.OAuth2LoginSpec> oauth2LoginCustomizer) Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2Login((oauth2Login) -> oauth2Login .authenticationConverter(authenticationConverter) .authenticationManager(manager) ); return http.build(); }- Parameters:
- oauth2LoginCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.OAuth2LoginSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
oauth2Clientpublic ServerHttpSecurity.OAuth2ClientSpec oauth2Client() Configures the OAuth2 client.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2Client() .clientRegistrationRepository(clientRegistrationRepository) .authorizedClientRepository(authorizedClientRepository); return http.build(); }- Returns:
- the ServerHttpSecurity.OAuth2ClientSpecto customize
 
 - 
oauth2Clientpublic ServerHttpSecurity oauth2Client(Customizer<ServerHttpSecurity.OAuth2ClientSpec> oauth2ClientCustomizer) Configures the OAuth2 client.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2Client((oauth2Client) -> oauth2Client .clientRegistrationRepository(clientRegistrationRepository) .authorizedClientRepository(authorizedClientRepository) ); return http.build(); }- Parameters:
- oauth2ClientCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.OAuth2ClientSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
oauth2ResourceServerpublic ServerHttpSecurity.OAuth2ResourceServerSpec oauth2ResourceServer() Configures OAuth 2.0 Resource Server support.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2ResourceServer() .jwt() .publicKey(publicKey()); return http.build(); }- Returns:
- the ServerHttpSecurity.OAuth2ResourceServerSpecto customize
 
 - 
oauth2ResourceServerpublic ServerHttpSecurity oauth2ResourceServer(Customizer<ServerHttpSecurity.OAuth2ResourceServerSpec> oauth2ResourceServerCustomizer) Configures OAuth 2.0 Resource Server support.@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .oauth2ResourceServer((oauth2ResourceServer) -> oauth2ResourceServer .jwt((jwt) -> jwt .publicKey(publicKey()) ) ); return http.build(); }- Parameters:
- oauth2ResourceServerCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.OAuth2ResourceServerSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
headerspublic ServerHttpSecurity.HeaderSpec headers() Configures HTTP Response Headers. The default headers are:Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block such that "Strict-Transport-Security" is only added on secure requests. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .headers() // customize frame options to be same origin .frameOptions() .mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN) .and() // disable cache control .cache().disable(); return http.build(); }- Returns:
- the ServerHttpSecurity.HeaderSpecto customize
 
 - 
headerspublic ServerHttpSecurity headers(Customizer<ServerHttpSecurity.HeaderSpec> headerCustomizer) Configures HTTP Response Headers. The default headers are:Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block such that "Strict-Transport-Security" is only added on secure requests. An example configuration is provided below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .headers((headers) -> headers // customize frame options to be same origin .frameOptions((frameOptions) -> frameOptions .mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN) ) // disable cache control .cache((cache) -> cache .disable() ) ); return http.build(); }- Parameters:
- headerCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.HeaderSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
exceptionHandlingpublic ServerHttpSecurity.ExceptionHandlingSpec exceptionHandling() Configures exception handling (i.e. handles when authentication is requested). An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .exceptionHandling() // customize how to request for authentication .authenticationEntryPoint(entryPoint); return http.build(); }- Returns:
- the ServerHttpSecurity.ExceptionHandlingSpecto customize
 
 - 
exceptionHandlingpublic ServerHttpSecurity exceptionHandling(Customizer<ServerHttpSecurity.ExceptionHandlingSpec> exceptionHandlingCustomizer) Configures exception handling (i.e. handles when authentication is requested). An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .exceptionHandling((exceptionHandling) -> exceptionHandling // customize how to request for authentication .authenticationEntryPoint(entryPoint) ); return http.build(); }- Parameters:
- exceptionHandlingCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.ExceptionHandlingSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
authorizeExchangepublic ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchange() Configures authorization. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .authorizeExchange() // any URL that starts with /admin/ requires the role "ROLE_ADMIN" .pathMatchers("/admin/**").hasRole("ADMIN") // a POST to /users requires the role "USER_POST" .pathMatchers(HttpMethod.POST, "/users").hasAuthority("USER_POST") // a request to /users/{username} requires the current authentication's username // to be equal to the {username} .pathMatchers("/users/{username}").access((authentication, context) -> authentication .map(Authentication::getName) .map((username) -> username.equals(context.getVariables().get("username"))) .map(AuthorizationDecision::new) ) // allows providing a custom matching strategy that requires the role "ROLE_CUSTOM" .matchers(customMatcher).hasRole("CUSTOM") // any other request requires the user to be authenticated .anyExchange().authenticated(); return http.build(); }- Returns:
- the ServerHttpSecurity.AuthorizeExchangeSpecto customize
 
 - 
authorizeExchangepublic ServerHttpSecurity authorizeExchange(Customizer<ServerHttpSecurity.AuthorizeExchangeSpec> authorizeExchangeCustomizer) Configures authorization. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .authorizeExchange((exchanges) -> exchanges // any URL that starts with /admin/ requires the role "ROLE_ADMIN" .pathMatchers("/admin/**").hasRole("ADMIN") // a POST to /users requires the role "USER_POST" .pathMatchers(HttpMethod.POST, "/users").hasAuthority("USER_POST") // a request to /users/{username} requires the current authentication's username // to be equal to the {username} .pathMatchers("/users/{username}").access((authentication, context) -> authentication .map(Authentication::getName) .map((username) -> username.equals(context.getVariables().get("username"))) .map(AuthorizationDecision::new) ) // allows providing a custom matching strategy that requires the role "ROLE_CUSTOM" .matchers(customMatcher).hasRole("CUSTOM") // any other request requires the user to be authenticated .anyExchange().authenticated() ); return http.build(); }- Parameters:
- authorizeExchangeCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.AuthorizeExchangeSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
logoutpublic ServerHttpSecurity.LogoutSpec logout() Configures log out. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .logout() // configures how log out is done .logoutHandler(logoutHandler) // log out will be performed on POST /signout .logoutUrl("/signout") // configure what is done on logout success .logoutSuccessHandler(successHandler); return http.build(); }- Returns:
- the ServerHttpSecurity.LogoutSpecto customize
 
 - 
logoutpublic ServerHttpSecurity logout(Customizer<ServerHttpSecurity.LogoutSpec> logoutCustomizer) Configures log out. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .logout((logout) -> logout // configures how log out is done .logoutHandler(logoutHandler) // log out will be performed on POST /signout .logoutUrl("/signout") // configure what is done on logout success .logoutSuccessHandler(successHandler) ); return http.build(); }- Parameters:
- logoutCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.LogoutSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
requestCachepublic ServerHttpSecurity.RequestCacheSpec requestCache() Configures the request cache which is used when a flow is interrupted (i.e. due to requesting credentials) so that the request can be replayed after authentication. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .requestCache() // configures how the request is cached .requestCache(requestCache); return http.build(); }- Returns:
- the ServerHttpSecurity.RequestCacheSpecto customize
 
 - 
requestCachepublic ServerHttpSecurity requestCache(Customizer<ServerHttpSecurity.RequestCacheSpec> requestCacheCustomizer) Configures the request cache which is used when a flow is interrupted (i.e. due to requesting credentials) so that the request can be replayed after authentication. An example configuration can be found below:@Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http // ... .requestCache((requestCache) -> requestCache // configures how the request is cached .requestCache(customRequestCache) ); return http.build(); }- Parameters:
- requestCacheCustomizer- the- Customizerto provide more options for the- ServerHttpSecurity.RequestCacheSpec
- Returns:
- the ServerHttpSecurityto customize
 
 - 
authenticationManagerpublic ServerHttpSecurity authenticationManager(ReactiveAuthenticationManager manager) Configure the default authentication manager.- Parameters:
- manager- the authentication manager to use
- Returns:
- the ServerHttpSecurityto customize
 
 - 
buildpublic SecurityWebFilterChain build() Builds theSecurityWebFilterChain- Returns:
- the SecurityWebFilterChain
 
 - 
httppublic static ServerHttpSecurity http() Creates a new instance.- Returns:
- the new ServerHttpSecurityinstance
 
 - 
setApplicationContextprotected void setApplicationContext(org.springframework.context.ApplicationContext applicationContext) throws org.springframework.beans.BeansException- Throws:
- org.springframework.beans.BeansException
 
 
- 
 
-