Nikita Kragel
Reputation: 241
Web ignoring using spring-webflux
In spring-mvc is possible to extends from WebSecurityConfigurerAdapter , override configure(WebSecurity web) and do somethink like this:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers(AUTH_WHITE_LIST);
}
The main benefit of this approach is that spring-security even will not try to decode passed token. Is it possible to do pretty much the same but using webflux?
I know that i can do like this:
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeExchange().pathMatchers(AUTH_WHITE_LIST).permitAll()
.anyExchange().authenticated();
return http.build();
}
But this way, as far as i know, spring-security will try to parse provided token first.
Upvotes: 13
Views: 4486
Answers (1)
M Ahlberg
Reputation: 336
As far as I know, the equivalent of making sure paths (and tokens) are ignored by spring security in webflux is to use the securityMatcher() method on ServerHttpSecurity. I.e. it should be the same as using the WebSecurity#ignoring() method with antMatchers.
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.securityMatcher(new NegatedServerWebExchangeMatcher(
ServerWebExchangeMatchers.pathMatchers("/ignore/this/path")))
.authorizeExchange()
.anyExchange().authenticated()
.and()
.csrf().disable()
.build();
}
Upvotes: 16
Related Questions
- Spring Webflux disabling login
- Disable webflux security
- Spring Webflux ServerResponse is blank
- You have to block on webflux to operate. Is there a way to operate without blocking?
- Spring Security WebFlux logout
- Spring webflux blocking another request
- Spring boot webflux only returning 401 and 403
- Spring Security 5.1.5 with WebFlux user disable not working
- Spring Webflux Security Allow All But One Url
- spring security webSecurity.ignoring()