How to migrate code from Spring Security to Reactive Spring Security?

Question

I'm trying to migrate classic Spring Boot Application to Reactive Spring Boot Application, but I have a problems with this task.

How to migrate the code below

package com.example;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/api").anonymous()
                .antMatchers("/api/**").authenticated().and()
                .httpBasic();
        http
                .authorizeRequests()
                .antMatchers("/login").anonymous()
                .antMatchers("/", "/error", "/**/favicon.ico", "/css/**", "/fonts/**", "/js/**", "/images/avatar.png", "/images/logo.png", "/profile", "/profile/find", "/profile/view/**", "/api/register").permitAll()
                .anyRequest().authenticated().and()
                .formLogin().loginPage("/login").loginProcessingUrl("/profile/login").failureUrl("/login?error").usernameParameter("usr").passwordParameter("pass").and()
                .logout().logoutUrl("/logout").invalidateHttpSession(true).deleteCookies("jsessionid","nebp").logoutSuccessUrl("/login?logout").and()
                .rememberMe().key("nebpps").tokenValiditySeconds(2419200).rememberMeParameter("remember_me").rememberMeCookieName("nebp").useSecureCookie(true).and()
                .csrf().ignoringAntMatchers("/api/**").and()
                .exceptionHandling().accessDeniedPage("/403");//.and()
                //.requiresChannel().anyRequest().requiresSecure();
    }

    @Bean(name = "passwordEncoder")
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

to style code like below

@Configuration
@EnableWebFluxSecurity
public class SecurityConfiguration {

    @Bean
    SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
        return http
            .csrf().disable()
            .authorizeExchange()
                .pathMatchers("/login", "/logout").permitAll()
                .pathMatchers("/i18n/**",
                    "/css/**",
                    "/fonts/**",
                    "/icons-reference/**",
                    "/img/**",
                    "/js/**",
                    "/vendor/**").permitAll()
            .anyExchange()
                .authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .and()
            .logout()
                .logoutUrl("/logout")
                .and()
            .build();
    }


    //in case you want to encrypt password
    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}

I accepted that certain elements can not be defined as before like usernameParameter.

First of all, how to set that the given path (/logout) is only for anonymous users.

Secondly, how to have CSRF enabled, but to have exclusion for addresses beginning with /api

I would suggest to read the reference: docs.spring.io/spring-security/reference/reactive/… — Adam Ostrožlík, Commented Jun 30, 2022 at 8:53

Akhil S Kamath · Accepted Answer · 2024-02-20 05:21:44Z

@Configuration
@EnableWebSecurity
public class SecurityConfiguration {

//create a security filterchain bean here
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

http.authorizeHttpRequests(authorizeRequests -> authorizeRequests.requestMatchers(new AntPathRequestMatcher("/health"))
.sessionManagement(//session management here)
.headers(//headers);

http.build();

In addition to above you can include additional filter class extending OncePerRequestFilter class to set/verify the custom token validation

Collectives™ on Stack Overflow

How to migrate code from Spring Security to Reactive Spring Security?

1 Answer 1

Not the answer you're looking for? Browse other questions tagged
spring-boot
spring-security
or ask your own question.

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

Not the answer you're looking for? Browse other questions tagged spring-bootspring-security or ask your own question.

Related

Not the answer you're looking for? Browse other questions tagged
spring-boot
spring-security
or ask your own question.