9

I'm currently using Springs' WebFlux and I wanted to implement Spring Security. I am struggling to make any of my WebSecurityConfigurerAdapter http rules work and I am thinking it is because HttpSecurity changes have no effect. I'll explain what I mean:

I have chosen to implement WebSecurityConfigurerAdapter which has the method signature.

protected void configure(HttpSecurity http) throws Exception

This has been correctly configured but all of my endpoints receive 401 unauthorized (which is typical of a Configuration not being picked up and a default configuration being used instead). Instead, when I look at the implementations for WebFluxSecurity they usually implement a Bean with the following signature:

public SecurityWebFilterChain securitygWebFilterChain(
  ServerHttpSecurity http)

I know a lot of the WebFlux architecture implements a different set of Requests and Response objects to typical Spring so I am wondering whether I have to implement the WebFlux security way of doing things or if the more standard WebSecurityConfigurerAdapter way of implementing security should still work

Cheers

DWB
  • 1,544
  • 2
  • 16
  • 33
  • 2
    Have you seen this for starters? https://stackoverflow.com/questions/47354171/spring-webflux-custom-authentication-for-api – Dovmo Jul 08 '18 at 18:18
  • Does this answer your question? [Spring webflux custom authentication for API](https://stackoverflow.com/questions/47354171/spring-webflux-custom-authentication-for-api) – ArtemAgaev Jun 20 '22 at 11:36

1 Answers1

8

WebFluxSecurity use ServerHttpSecurity that use WebFilter to filter request. WebSecurity use HttpSecurity that javax.servlet.Filter to filter request.

it's different class and different implementation, overwrite: 

protected void configure(HttpSecurity http) throws Exception

won't work

Etay Ceder
  • 160
  • 1
  • 9