CODEWITHSUNDEEP
springsecurityspring-webflux
Marc06210
Marc06210

Reputation: 136

Filter chain with spring-security and webflux public patterns

I might be missing something obvious, but can't figure it out myself. So I hope you will be able to help me.

I am trying to secure a spring webflux app, well in fact just a subset of the app and I want some endpoints not to be secured. So here is my security config:

@EnableReactiveMethodSecurity
@EnableWebFluxSecurity
public class WebSecurityConfig  {

    ...

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

        http
            .authorizeExchange()
                .pathMatchers("/process_login", "/login", "/logout").permitAll()
                .pathMatchers("/api/team").permitAll()
                .anyExchange().authenticated()
            .and()
                .addFilterAt(webFilter(), SecurityWebFiltersOrder.AUTHORIZATION)
                .addFilterAt(new AuthorizationModifierFilter(),SecurityWebFiltersOrder.AUTHENTICATION)
            ;
        http.httpBasic().disable()
            .formLogin().disable()
            .logout().disable();

        return http.build();
    }
    ...
}

When accessing the /api/team endpoint I was expecting not to pass the security filter chain but I am passing into my security filters.

Any idea what I am doing wrong ?

Thanks for your help Marc

Upvotes: 1

Views: 6888

Answers (1)

Shoshi
Shoshi

Reputation: 2254

don't break the chain. It should be something like this. try this, if it doesn't work I will update accordingly

private static String[] permittedUrl = new String[]{
    "/process_login", "/login", "/logout", "/api/team"
};
........
........
return http
         .csrf().disable()
         .cors().disable()
         .formLogin().disable()
         .httpBasic().disable()
         .exceptionHandling()
         .authenticationEntryPoint((swe, e) ->
                 Mono.fromRunnable(() -> {
                     swe.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED);
                 })
         )
         .accessDeniedHandler((swe, e) ->
                 Mono.fromRunnable(() -> {
                     swe.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
                 })
         )
         .and()
         .authorizeExchange()
         .pathMatchers(permittedUrl).permitAll()
         .anyExchange()
         .authenticated()
         .and()
         .build();

Upvotes: 1

Related Questions