|
6 | 6 | import org.springframework.context.annotation.Bean; |
7 | 7 | import org.springframework.context.annotation.Configuration; |
8 | 8 | import org.springframework.lang.Nullable; |
| 9 | +import org.springframework.security.config.Customizer; |
9 | 10 | import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity; |
10 | 11 | import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; |
11 | 12 | import org.springframework.security.config.web.server.ServerHttpSecurity; |
|
25 | 26 | @EnableReactiveMethodSecurity // Allow method annotations like @PreAuthorize |
26 | 27 | class SecurityConfiguration { |
27 | 28 |
|
28 | | - private final String[] SWAGGER_URLS = new String[]{"/swagger-resources/**", "/swagger-ui/**", "/swagger-ui.*", "/v3/api-docs", "/v3/api-docs/**", "/webjars/**"}; |
| 29 | + private final String[] SWAGGER_URLS = new String[]{"/swagger-resources/**", "/swagger-ui/**", "/swagger-ui.*", "/v3/api-docs", "/v3/api-docs/**", "/webjars/**"}; |
29 | 30 |
|
30 | | - private boolean actuatorBypassSecurity = true; |
| 31 | + private boolean actuatorBypassSecurity = true; |
31 | 32 |
|
32 | | - private final ServerAuthenticationEntryPoint authenticationEntryPoint; |
| 33 | + private final ServerAuthenticationEntryPoint authenticationEntryPoint; |
33 | 34 |
|
34 | | - private final ServerAccessDeniedHandler accessDeniedHandler; |
| 35 | + private final ServerAccessDeniedHandler accessDeniedHandler; |
35 | 36 |
|
36 | | - private final ActuatorEndpointProperties actuatorEndpointProperties; |
| 37 | + private final ActuatorEndpointProperties actuatorEndpointProperties; |
37 | 38 |
|
38 | | - SecurityConfiguration(@Nullable final ServerAuthenticationEntryPoint authenticationEntryPoint, |
39 | | - @Nullable final ServerAccessDeniedHandler accessDeniedHandler, |
40 | | - @Nullable final ActuatorEndpointProperties actuatorEndpointProperties) { |
41 | | - this.authenticationEntryPoint = authenticationEntryPoint; |
42 | | - this.accessDeniedHandler = accessDeniedHandler; |
43 | | - this.actuatorEndpointProperties = actuatorEndpointProperties; |
44 | | - } |
| 39 | + SecurityConfiguration(@Nullable final ServerAuthenticationEntryPoint authenticationEntryPoint, |
| 40 | + @Nullable final ServerAccessDeniedHandler accessDeniedHandler, |
| 41 | + @Nullable final ActuatorEndpointProperties actuatorEndpointProperties) { |
| 42 | + this.authenticationEntryPoint = authenticationEntryPoint; |
| 43 | + this.accessDeniedHandler = accessDeniedHandler; |
| 44 | + this.actuatorEndpointProperties = actuatorEndpointProperties; |
| 45 | + } |
45 | 46 |
|
46 | | - @Bean |
47 | | - SecurityWebFilterChain securityWebFilterChain(final ServerHttpSecurity http) { |
48 | | - http.csrf().disable().authorizeExchange() |
49 | | - .pathMatchers(this.actuatorBypassSecurity && this.actuatorEndpointProperties != null |
50 | | - ? ArrayUtils.addAll(SWAGGER_URLS, this.actuatorEndpointProperties.getPaths()) |
51 | | - : SWAGGER_URLS).permitAll() |
52 | | - .pathMatchers("/problems/**").permitAll() |
53 | | - .anyExchange().authenticated() |
54 | | - .and().oauth2ResourceServer() |
55 | | - .jwt().jwtAuthenticationConverter(this.jwtAuthenticationConverter()) |
56 | | - .jwtDecoder(new JwtStringDecoder()); |
| 47 | + @Bean |
| 48 | + SecurityWebFilterChain securityWebFilterChain(final ServerHttpSecurity http) { |
| 49 | + http.csrf(ServerHttpSecurity.CsrfSpec::disable) |
| 50 | + .authorizeExchange((exchanges) -> exchanges |
| 51 | + .pathMatchers(this.actuatorBypassSecurity && this.actuatorEndpointProperties != null |
| 52 | + ? ArrayUtils.addAll(SWAGGER_URLS, this.actuatorEndpointProperties.getPaths()) |
| 53 | + : SWAGGER_URLS).permitAll() |
| 54 | + .pathMatchers("/problems/**").permitAll() |
| 55 | + .anyExchange().authenticated() |
| 56 | + ).oauth2ResourceServer( |
| 57 | + resourceServerCustomizer -> |
| 58 | + resourceServerCustomizer.jwt( |
| 59 | + jwtCustomizer -> |
| 60 | + jwtCustomizer |
| 61 | + .jwtAuthenticationConverter(this.jwtAuthenticationConverter()) |
| 62 | + .jwtDecoder(new JwtStringDecoder()))); |
57 | 63 |
|
58 | | - if (this.authenticationEntryPoint != null) { |
59 | | - http.exceptionHandling().authenticationEntryPoint(this.authenticationEntryPoint); |
60 | | - } |
61 | | - if (this.accessDeniedHandler != null) { |
62 | | - http.exceptionHandling().accessDeniedHandler(this.accessDeniedHandler); |
| 64 | + if (this.authenticationEntryPoint != null) { |
| 65 | + http.exceptionHandling( |
| 66 | + exceptionHandling -> |
| 67 | + exceptionHandling.authenticationEntryPoint(this.authenticationEntryPoint)); |
| 68 | + } |
| 69 | + if (this.accessDeniedHandler != null) { |
| 70 | + http.exceptionHandling( |
| 71 | + exceptionHandling -> exceptionHandling.accessDeniedHandler(this.accessDeniedHandler)); |
| 72 | + } |
| 73 | + return http.build(); |
63 | 74 | } |
64 | | - return http.build(); |
65 | | - } |
66 | 75 |
|
67 | | - private ReactiveJwtAuthenticationConverter jwtAuthenticationConverter() { |
68 | | - ReactiveJwtAuthenticationConverter jwtAuthenticationConverter = new ReactiveJwtAuthenticationConverter(); |
69 | | - jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter( |
70 | | - new ReactiveJwtGrantedAuthoritiesConverterAdapter(JwtUtils.jwtGrantedAuthoritiesConverter())); |
71 | | - jwtAuthenticationConverter.setPrincipalClaimName(JwtUtils.PRINCIPLE_NAME_CLAIM_ID); |
72 | | - return jwtAuthenticationConverter; |
73 | | - } |
| 76 | + private ReactiveJwtAuthenticationConverter jwtAuthenticationConverter() { |
| 77 | + ReactiveJwtAuthenticationConverter jwtAuthenticationConverter = new ReactiveJwtAuthenticationConverter(); |
| 78 | + jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter( |
| 79 | + new ReactiveJwtGrantedAuthoritiesConverterAdapter(JwtUtils.jwtGrantedAuthoritiesConverter())); |
| 80 | + jwtAuthenticationConverter.setPrincipalClaimName(JwtUtils.PRINCIPLE_NAME_CLAIM_ID); |
| 81 | + return jwtAuthenticationConverter; |
| 82 | + } |
74 | 83 | } |
0 commit comments