Package org.springframework.security.config.web.server

Class ServerHttpSecurity

java.lang.Object
org.springframework.security.config.web.server.ServerHttpSecurity
public class ServerHttpSecurity extends Object
A ServerHttpSecurity is similar to Spring Security's HttpSecurity but for WebFlux. It allows configuring web based security for specific http requests. By default it will be applied to all requests, but can be restricted using securityMatcher(ServerWebExchangeMatcher) or other similar methods. A minimal configuration can be found below: 
 @Configuration
 @EnableWebFluxSecurity
 public class MyMinimalSecurityConfiguration {

     @Bean
     public MapReactiveUserDetailsService userDetailsService() {
         UserDetails user = User.withDefaultPasswordEncoder()
             .username("user")
             .password("password")
             .roles("USER")
             .build();
         return new MapReactiveUserDetailsService(user);
     }
 }
Below is the same as our minimal configuration, but explicitly declaring the ServerHttpSecurity. 
 @Configuration
 @EnableWebFluxSecurity
 public class MyExplicitSecurityConfiguration {

     @Bean
     public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
         http
             .authorizeExchange()
               .anyExchange().authenticated()
             .and()
               .httpBasic().and()
               .formLogin();
             return http.build();
     }

     @Bean
     public MapReactiveUserDetailsService userDetailsService() {
         UserDetails user = User.withDefaultPasswordEncoder()
             .username("user")
             .password("password")
             .roles("USER")
             .build();
         return new MapReactiveUserDetailsService(user);
     }
 }
Since:
5.0

  • Constructor Details

    • ServerHttpSecurity

      protected ServerHttpSecurity()

  • Method Details

    • securityMatcher

      public ServerHttpSecurity securityMatcher(ServerWebExchangeMatcher matcher)
      The ServerExchangeMatcher that determines which requests apply to this HttpSecurity instance.
      Parameters:
      matcher - the ServerExchangeMatcher that determines which requests apply to this HttpSecurity instance. Default is all requests.
      Returns:
      the ServerHttpSecurity to continue configuring

    • addFilterAt

      public ServerHttpSecurity addFilterAt(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order)
      Adds a WebFilter at a specific position.
      Parameters:
      webFilter - the WebFilter to add
      order - the place to insert the WebFilter
      Returns:
      the ServerHttpSecurity to continue configuring

    • addFilterBefore

      public ServerHttpSecurity addFilterBefore(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order)
      Adds a WebFilter before specific position.
      Parameters:
      webFilter - the WebFilter to add
      order - the place before which to insert the WebFilter
      Returns:
      the ServerHttpSecurity to continue configuring
      Since:
      5.2.0

    • addFilterAfter

      public ServerHttpSecurity addFilterAfter(org.springframework.web.server.WebFilter webFilter, SecurityWebFiltersOrder order)
      Adds a WebFilter after specific position.
      Parameters:
      webFilter - the WebFilter to add
      order - the place after which to insert the WebFilter
      Returns:
      the ServerHttpSecurity to continue configuring
      Since:
      5.2.0

    • securityContextRepository

      public ServerHttpSecurity securityContextRepository(ServerSecurityContextRepository securityContextRepository)
      The strategy used with ReactorContextWebFilter. It does impact how the SecurityContext is saved which is configured on a per AuthenticationWebFilter basis.
      Parameters:
      securityContextRepository - the repository to use
      Returns:
      the ServerHttpSecurity to continue configuring

    • redirectToHttps

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.HttpsRedirectSpec redirectToHttps()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use redirectToHttps(Customizer) or redirectToHttps(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures HTTPS redirection rules. If the default is used: 
        @Bean
        public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
            http
                // ...
                .redirectToHttps();
            return http.build();
        }
      Then all non-HTTPS requests will be redirected to HTTPS. Typically, all requests should be HTTPS; however, the focus for redirection can also be narrowed: 
        @Bean
        public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
            http
                // ...
                .redirectToHttps()
                    .httpsRedirectWhen((serverWebExchange) ->
                        serverWebExchange.getRequest().getHeaders().containsKey("X-Requires-Https"))
            return http.build();
        }
      Returns:
      the ServerHttpSecurity.HttpsRedirectSpec to customize

    • redirectToHttps

      public ServerHttpSecurity redirectToHttps(Customizer<ServerHttpSecurity.HttpsRedirectSpec> httpsRedirectCustomizer)
      Configures HTTPS redirection rules. If the default is used: 
        @Bean
        public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
            http
                // ...
                .redirectToHttps(withDefaults());
            return http.build();
        }
      Then all non-HTTPS requests will be redirected to HTTPS. Typically, all requests should be HTTPS; however, the focus for redirection can also be narrowed: 
        @Bean
        public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
            http
                // ...
                .redirectToHttps((redirectToHttps) ->
                        redirectToHttps
                        .httpsRedirectWhen((serverWebExchange) ->
                                serverWebExchange.getRequest().getHeaders().containsKey("X-Requires-Https"))
                    );
            return http.build();
        }
      Parameters:
      httpsRedirectCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HttpsRedirectSpec
      Returns:
      the ServerHttpSecurity to customize

    • csrf

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.CsrfSpec csrf()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use csrf(Customizer) or csrf(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures CSRF Protection which is enabled by default. You can disable it using: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .csrf().disabled();
      return http.build();
  }
      Additional configuration options can be seen below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .csrf()
              // Handle CSRF failures
              .accessDeniedHandler(accessDeniedHandler)
              // Custom persistence of CSRF Token
              .csrfTokenRepository(csrfTokenRepository)
              // custom matching when CSRF protection is enabled
              .requireCsrfProtectionMatcher(matcher);
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.CsrfSpec to customize

    • csrf

      public ServerHttpSecurity csrf(Customizer<ServerHttpSecurity.CsrfSpec> csrfCustomizer)
      Configures CSRF Protection which is enabled by default. You can disable it using: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .csrf((csrf) ->
              csrf.disabled()
          );
      return http.build();
  }
      Additional configuration options can be seen below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .csrf((csrf) ->
              csrf
                  // Handle CSRF failures
                  .accessDeniedHandler(accessDeniedHandler)
                  // Custom persistence of CSRF Token
                  .csrfTokenRepository(csrfTokenRepository)
                  // custom matching when CSRF protection is enabled
                  .requireCsrfProtectionMatcher(matcher)
          );
      return http.build();
  }
      Parameters:
      csrfCustomizer - the Customizer to provide more options for the ServerHttpSecurity.CsrfSpec
      Returns:
      the ServerHttpSecurity to customize

    • cors

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.CorsSpec cors()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use cors(Customizer) or cors(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures CORS headers. By default if a CorsConfigurationSource Bean is found, it will be used to create a CorsWebFilter. If ServerHttpSecurity.CorsSpec.configurationSource(CorsConfigurationSource) is invoked it will be used instead. If neither has been configured, the Cors configuration will do nothing.
      Returns:
      the ServerHttpSecurity.CorsSpec to customize

    • cors

      public ServerHttpSecurity cors(Customizer<ServerHttpSecurity.CorsSpec> corsCustomizer)
      Configures CORS headers. By default if a CorsConfigurationSource Bean is found, it will be used to create a CorsWebFilter. If ServerHttpSecurity.CorsSpec.configurationSource(CorsConfigurationSource) is invoked it will be used instead. If neither has been configured, the Cors configuration will do nothing.
      Parameters:
      corsCustomizer - the Customizer to provide more options for the ServerHttpSecurity.CorsSpec
      Returns:
      the ServerHttpSecurity to customize

    • anonymous

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.AnonymousSpec anonymous()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use anonymous(Customizer) or anonymous(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Enables and Configures anonymous authentication. Anonymous Authentication is disabled by default. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .anonymous().key("key")
          .authorities("ROLE_ANONYMOUS");
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.AnonymousSpec to customize
      Since:
      5.2.0

    • anonymous

      public ServerHttpSecurity anonymous(Customizer<ServerHttpSecurity.AnonymousSpec> anonymousCustomizer)
      Enables and Configures anonymous authentication. Anonymous Authentication is disabled by default. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .anonymous((anonymous) ->
              anonymous
                  .key("key")
                  .authorities("ROLE_ANONYMOUS")
          );
      return http.build();
  }
      Parameters:
      anonymousCustomizer - the Customizer to provide more options for the ServerHttpSecurity.AnonymousSpec
      Returns:
      the ServerHttpSecurity to customize

    • httpBasic

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.HttpBasicSpec httpBasic()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use httpBasic(Customizer) or httpBasic(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures HTTP Basic authentication. An example configuration is provided below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .httpBasic()
              // used for authenticating the credentials
              .authenticationManager(authenticationManager)
              // Custom persistence of the authentication
              .securityContextRepository(securityContextRepository);
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.HttpBasicSpec to customize

    • httpBasic

      public ServerHttpSecurity httpBasic(Customizer<ServerHttpSecurity.HttpBasicSpec> httpBasicCustomizer)
      Configures HTTP Basic authentication. An example configuration is provided below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .httpBasic((httpBasic) ->
              httpBasic
                  // used for authenticating the credentials
                  .authenticationManager(authenticationManager)
                  // Custom persistence of the authentication
                  .securityContextRepository(securityContextRepository)
              );
      return http.build();
  }
      Parameters:
      httpBasicCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HttpBasicSpec
      Returns:
      the ServerHttpSecurity to customize

    • sessionManagement

      public ServerHttpSecurity sessionManagement(Customizer<ServerHttpSecurity.SessionManagementSpec> customizer)
      Configures Session Management. An example configuration is provided below: 
        @Bean
  SecurityWebFilterChain filterChain(ServerHttpSecurity http, ReactiveSessionRegistry sessionRegistry) {
      http
          // ...
          .sessionManagement((sessionManagement) -> sessionManagement
              .concurrentSessions((concurrentSessions) -> concurrentSessions
                  .maxSessions(1)
                  .maxSessionsPreventsLogin(true)
                  .sessionRegistry(sessionRegistry)
              )
          );
      return http.build();
  }
      Parameters:
      customizer - the Customizer to provide more options for the ServerHttpSecurity.SessionManagementSpec
      Returns:
      the ServerHttpSecurity to continue configuring
      Since:
      6.3

    • passwordManagement

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.PasswordManagementSpec passwordManagement()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use passwordManagement(Customizer) or passwordManagement(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures password management. An example configuration is provided below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .passwordManagement();
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.PasswordManagementSpec to customize
      Since:
      5.6

    • passwordManagement

      public ServerHttpSecurity passwordManagement(Customizer<ServerHttpSecurity.PasswordManagementSpec> passwordManagementCustomizer)
      Configures password management. An example configuration is provided below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .passwordManagement(passwordManagement ->
                // Custom change password page.
                passwordManagement.changePasswordPage("/custom-change-password-page")
          );
      return http.build();
  }
      Parameters:
      passwordManagementCustomizer - the Customizer to provide more options for the ServerHttpSecurity.PasswordManagementSpec
      Returns:
      the ServerHttpSecurity to customize
      Since:
      5.6

    • formLogin

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.FormLoginSpec formLogin()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use formLogin(Customizer) or formLogin(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures form based authentication. An example configuration is provided below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .formLogin()
              // used for authenticating the credentials
              .authenticationManager(authenticationManager)
              // Custom persistence of the authentication
              .securityContextRepository(securityContextRepository)
              // expect a log in page at "/authenticate"
              // a POST "/authenticate" is where authentication occurs
              // error page at "/authenticate?error"
              .loginPage("/authenticate");
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.FormLoginSpec to customize

    • formLogin

      public ServerHttpSecurity formLogin(Customizer<ServerHttpSecurity.FormLoginSpec> formLoginCustomizer)
      Configures form based authentication. An example configuration is provided below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .formLogin((formLogin) ->
              formLogin
                // used for authenticating the credentials
                .authenticationManager(authenticationManager)
                // Custom persistence of the authentication
                .securityContextRepository(securityContextRepository)
                // expect a log in page at "/authenticate"
                // a POST "/authenticate" is where authentication occurs
                // error page at "/authenticate?error"
                .loginPage("/authenticate")
          );
      return http.build();
  }
      Parameters:
      formLoginCustomizer - the Customizer to provide more options for the ServerHttpSecurity.FormLoginSpec
      Returns:
      the ServerHttpSecurity to customize

    • x509

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.X509Spec x509()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use x509(Customizer) or x509(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures x509 authentication using a certificate provided by a client. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          .x509()
                .authenticationManager(authenticationManager)
              .principalExtractor(principalExtractor);
      return http.build();
  }
      Note that if extractor is not specified, SubjectDnX509PrincipalExtractor will be used. If authenticationManager is not specified, ReactivePreAuthenticatedAuthenticationManager will be used.
      Returns:
      the ServerHttpSecurity.X509Spec to customize
      Since:
      5.2

    • x509

      public ServerHttpSecurity x509(Customizer<ServerHttpSecurity.X509Spec> x509Customizer)
      Configures x509 authentication using a certificate provided by a client. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          .x509((x509) ->
              x509
                    .authenticationManager(authenticationManager)
                  .principalExtractor(principalExtractor)
          );
      return http.build();
  }
      Note that if extractor is not specified, SubjectDnX509PrincipalExtractor will be used. If authenticationManager is not specified, ReactivePreAuthenticatedAuthenticationManager will be used.
      Parameters:
      x509Customizer - the Customizer to provide more options for the ServerHttpSecurity.X509Spec
      Returns:
      the ServerHttpSecurity to customize
      Since:
      5.2

    • oauth2Login

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.OAuth2LoginSpec oauth2Login()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use oauth2Login(Customizer) or oauth2Login(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .oauth2Login()
              .authenticationConverter(authenticationConverter)
              .authenticationManager(manager);
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.OAuth2LoginSpec to customize

    • oauth2Login

      public ServerHttpSecurity oauth2Login(Customizer<ServerHttpSecurity.OAuth2LoginSpec> oauth2LoginCustomizer)
      Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .oauth2Login((oauth2Login) ->
              oauth2Login
                  .authenticationConverter(authenticationConverter)
                  .authenticationManager(manager)
          );
      return http.build();
  }
      Parameters:
      oauth2LoginCustomizer - the Customizer to provide more options for the ServerHttpSecurity.OAuth2LoginSpec
      Returns:
      the ServerHttpSecurity to customize

    • oauth2Client

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.OAuth2ClientSpec oauth2Client()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use oauth2Client(Customizer) or oauth2Client(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures the OAuth2 client. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .oauth2Client()
              .clientRegistrationRepository(clientRegistrationRepository)
              .authorizedClientRepository(authorizedClientRepository);
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.OAuth2ClientSpec to customize

    • oauth2Client

      public ServerHttpSecurity oauth2Client(Customizer<ServerHttpSecurity.OAuth2ClientSpec> oauth2ClientCustomizer)
      Configures the OAuth2 client. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .oauth2Client((oauth2Client) ->
              oauth2Client
                  .clientRegistrationRepository(clientRegistrationRepository)
                  .authorizedClientRepository(authorizedClientRepository)
          );
      return http.build();
  }
      Parameters:
      oauth2ClientCustomizer - the Customizer to provide more options for the ServerHttpSecurity.OAuth2ClientSpec
      Returns:
      the ServerHttpSecurity to customize

    • oauth2ResourceServer

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.OAuth2ResourceServerSpec oauth2ResourceServer()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use oauth2ResourceServer(Customizer) instead
      Configures OAuth 2.0 Resource Server support. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .oauth2ResourceServer()
              .jwt()
                  .publicKey(publicKey());
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.OAuth2ResourceServerSpec to customize

    • oauth2ResourceServer

      public ServerHttpSecurity oauth2ResourceServer(Customizer<ServerHttpSecurity.OAuth2ResourceServerSpec> oauth2ResourceServerCustomizer)
      Configures OAuth 2.0 Resource Server support. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .oauth2ResourceServer((oauth2ResourceServer) ->
              oauth2ResourceServer
                  .jwt((jwt) ->
                      jwt
                          .publicKey(publicKey())
                  )
          );
      return http.build();
  }
      Parameters:
      oauth2ResourceServerCustomizer - the Customizer to provide more options for the ServerHttpSecurity.OAuth2ResourceServerSpec
      Returns:
      the ServerHttpSecurity to customize

    • oidcLogout

      public ServerHttpSecurity oidcLogout(Customizer<ServerHttpSecurity.OidcLogoutSpec> oidcLogoutCustomizer)
      Configures OIDC Connect 1.0 Logout support. 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .oidcLogout((logout) -> logout
              .backChannel(Customizer.withDefaults())
          );
      return http.build();
  }
      Parameters:
      oidcLogoutCustomizer - the Customizer to provide more options for the ServerHttpSecurity.OidcLogoutSpec
      Returns:
      the ServerHttpSecurity to customize
      Since:
      6.2

    • headers

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.HeaderSpec headers()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures HTTP Response Headers. The default headers are: 
       Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 Pragma: no-cache
 Expires: 0
 X-Content-Type-Options: nosniff
 Strict-Transport-Security: max-age=31536000 ; includeSubDomains
 X-Frame-Options: DENY
 X-XSS-Protection: 0
      such that "Strict-Transport-Security" is only added on secure requests. An example configuration is provided below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .headers()
              // customize frame options to be same origin
              .frameOptions()
                  .mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN)
                  .and()
              // disable cache control
              .cache().disable();
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.HeaderSpec to customize

    • headers

      public ServerHttpSecurity headers(Customizer<ServerHttpSecurity.HeaderSpec> headerCustomizer)
      Configures HTTP Response Headers. The default headers are: 
       Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 Pragma: no-cache
 Expires: 0
 X-Content-Type-Options: nosniff
 Strict-Transport-Security: max-age=31536000 ; includeSubDomains
 X-Frame-Options: DENY
 X-XSS-Protection: 0
      such that "Strict-Transport-Security" is only added on secure requests. An example configuration is provided below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .headers((headers) ->
              headers
                  // customize frame options to be same origin
                  .frameOptions((frameOptions) ->
                      frameOptions
                          .mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN)
                   )
                  // disable cache control
                  .cache((cache) ->
                      cache
                          .disable()
                  )
          );
      return http.build();
  }
      Parameters:
      headerCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HeaderSpec
      Returns:
      the ServerHttpSecurity to customize

    • exceptionHandling

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.ExceptionHandlingSpec exceptionHandling()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use exceptionHandling(Customizer) or exceptionHandling(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures exception handling (i.e. handles when authentication is requested). An example configuration can be found below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .exceptionHandling()
              // customize how to request for authentication
              .authenticationEntryPoint(entryPoint);
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.ExceptionHandlingSpec to customize

    • exceptionHandling

      public ServerHttpSecurity exceptionHandling(Customizer<ServerHttpSecurity.ExceptionHandlingSpec> exceptionHandlingCustomizer)
      Configures exception handling (i.e. handles when authentication is requested). An example configuration can be found below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .exceptionHandling((exceptionHandling) ->
              exceptionHandling
                  // customize how to request for authentication
                  .authenticationEntryPoint(entryPoint)
          );
      return http.build();
  }
      Parameters:
      exceptionHandlingCustomizer - the Customizer to provide more options for the ServerHttpSecurity.ExceptionHandlingSpec
      Returns:
      the ServerHttpSecurity to customize

    • authorizeExchange

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchange()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use authorizeExchange(Customizer) or authorizeExchange(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures authorization. An example configuration can be found below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .authorizeExchange()
              // any URL that starts with /admin/ requires the role "ROLE_ADMIN"
              .pathMatchers("/admin/**").hasRole("ADMIN")
              // a POST to /users requires the role "USER_POST"
              .pathMatchers(HttpMethod.POST, "/users").hasAuthority("USER_POST")
              // a request to /users/{username} requires the current authentication's username
              // to be equal to the {username}
              .pathMatchers("/users/{username}").access((authentication, context) ->
                  authentication
                      .map(Authentication::getName)
                      .map((username) -> username.equals(context.getVariables().get("username")))
                      .map(AuthorizationDecision::new)
              )
              // allows providing a custom matching strategy that requires the role "ROLE_CUSTOM"
              .matchers(customMatcher).hasRole("CUSTOM")
              // any other request requires the user to be authenticated
              .anyExchange().authenticated();
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.AuthorizeExchangeSpec to customize

    • authorizeExchange

      public ServerHttpSecurity authorizeExchange(Customizer<ServerHttpSecurity.AuthorizeExchangeSpec> authorizeExchangeCustomizer)
      Configures authorization. An example configuration can be found below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .authorizeExchange((exchanges) ->
              exchanges
                  // any URL that starts with /admin/ requires the role "ROLE_ADMIN"
                  .pathMatchers("/admin/**").hasRole("ADMIN")
                  // a POST to /users requires the role "USER_POST"
                  .pathMatchers(HttpMethod.POST, "/users").hasAuthority("USER_POST")
                  // a request to /users/{username} requires the current authentication's username
                  // to be equal to the {username}
                  .pathMatchers("/users/{username}").access((authentication, context) ->
                      authentication
                          .map(Authentication::getName)
                          .map((username) -> username.equals(context.getVariables().get("username")))
                          .map(AuthorizationDecision::new)
                  )
                  // allows providing a custom matching strategy that requires the role "ROLE_CUSTOM"
                  .matchers(customMatcher).hasRole("CUSTOM")
                  // any other request requires the user to be authenticated
                  .anyExchange().authenticated()
          );
      return http.build();
  }
      Parameters:
      authorizeExchangeCustomizer - the Customizer to provide more options for the ServerHttpSecurity.AuthorizeExchangeSpec
      Returns:
      the ServerHttpSecurity to customize

    • logout

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.LogoutSpec logout()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use logout(Customizer) or logout(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures log out. An example configuration can be found below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .logout()
              // configures how log out is done
              .logoutHandler(logoutHandler)
              // log out will be performed on POST /signout
              .logoutUrl("/signout")
              // configure what is done on logout success
              .logoutSuccessHandler(successHandler);
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.LogoutSpec to customize

    • logout

      public ServerHttpSecurity logout(Customizer<ServerHttpSecurity.LogoutSpec> logoutCustomizer)
      Configures log out. An example configuration can be found below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .logout((logout) ->
              logout
                  // configures how log out is done
                  .logoutHandler(logoutHandler)
                  // log out will be performed on POST /signout
                  .logoutUrl("/signout")
                  // configure what is done on logout success
                  .logoutSuccessHandler(successHandler)
          );
      return http.build();
  }
      Parameters:
      logoutCustomizer - the Customizer to provide more options for the ServerHttpSecurity.LogoutSpec
      Returns:
      the ServerHttpSecurity to customize

    • requestCache

      @Deprecated(since="6.1", forRemoval=true) public ServerHttpSecurity.RequestCacheSpec requestCache()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use requestCache(Customizer) or requestCache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.
      Configures the request cache which is used when a flow is interrupted (i.e. due to requesting credentials) so that the request can be replayed after authentication. An example configuration can be found below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .requestCache()
              // configures how the request is cached
              .requestCache(requestCache);
      return http.build();
  }
      Returns:
      the ServerHttpSecurity.RequestCacheSpec to customize

    • requestCache

      public ServerHttpSecurity requestCache(Customizer<ServerHttpSecurity.RequestCacheSpec> requestCacheCustomizer)
      Configures the request cache which is used when a flow is interrupted (i.e. due to requesting credentials) so that the request can be replayed after authentication. An example configuration can be found below: 
        @Bean
  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
      http
          // ...
          .requestCache((requestCache) ->
              requestCache
                  // configures how the request is cached
                  .requestCache(customRequestCache)
          );
      return http.build();
  }
      Parameters:
      requestCacheCustomizer - the Customizer to provide more options for the ServerHttpSecurity.RequestCacheSpec
      Returns:
      the ServerHttpSecurity to customize

    • authenticationManager

      public ServerHttpSecurity authenticationManager(ReactiveAuthenticationManager manager)
      Configure the default authentication manager.
      Parameters:
      manager - the authentication manager to use
      Returns:
      the ServerHttpSecurity to customize

    • build

      public SecurityWebFilterChain build()
      Builds the SecurityWebFilterChain
      Returns:
      the SecurityWebFilterChain

    • http

      public static ServerHttpSecurity http()
      Creates a new instance.
      Returns:
      the new ServerHttpSecurity instance

    • setApplicationContext

      protected void setApplicationContext(org.springframework.context.ApplicationContext applicationContext) throws org.springframework.beans.BeansException
      Throws:
      org.springframework.beans.BeansException