Add WebFlux Redirect to HTTPS Reference

Fixes: gh-5869

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -27,6 +27,7 @@ import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Function;
 
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
@@ -1473,6 +1474,22 @@ public class ServerHttpSecurity {
 			return this;
 		}
 
+		/**
+		 * Configures when this filter should redirect to https
+		 *
+		 * By default, the filter will redirect whenever an exchange's scheme is not https
+		 *
+		 * @param when determines when to redirect to https
+		 * @return the {@link HttpsRedirectSpec} for additional configuration
+		 */
+		public HttpsRedirectSpec httpsRedirectWhen(
+				Function<ServerWebExchange, Boolean> when) {
+			ServerWebExchangeMatcher matcher = e -> when.apply(e) ?
+					ServerWebExchangeMatcher.MatchResult.match() :
+					ServerWebExchangeMatcher.MatchResult.notMatch();
+			return httpsRedirectWhen(matcher);
+		}
+
 		/**
 		 * Configures a custom HTTPS port to redirect to
 		 *

docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc

@@ -31,7 +31,7 @@ Below are the highlights of the release.
 ** <<webflux-headers-csp,Content Security Policy>>
 ** <<webflux-headers-feature,Feature Policy>>
 ** <<webflux-headers-referrer,Referrer Policy>>
-* Support for redirecting to HTTPS
+* <<webflux-redirect-https,Redirect to HTTPS>>
 
 === Integrations
 

docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc

@@ -4,6 +4,8 @@ include::webflux.adoc[leveloffset=+1]
 
 include::headers.adoc[leveloffset=+1]
 
+include::redirect-https.adoc[leveloffset=+1]
+
 include::oauth2/index.adoc[leveloffset=+1]
 
 include::registered-oauth2-authorized-client.adoc[leveloffset=+1]

docs/manual/src/docs/asciidoc/_includes/reactive/redirect-https.adoc

@@ -0,0 +1,32 @@
+[[webflux-redirect-https]]
+= Redirect to HTTPS
+
+HTTPS is required to provide a secure application.
+Spring Security can be configured to perform a redirect to https using the following Java Configuration:
+
+[source,java]
+----
+@Bean
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+	http
+		// ...
+		.redirectToHttps();
+	return http.build();
+}
+----
+
+The configuration can easily be wrapped around an if statement to only be turned on in production.
+Alternatively, it can be enabled by looking for a property about the request that only happens in production.
+For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used:
+
+[source,java]
+----
+@Bean
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+	http
+		// ...
+		.redirectToHttps()
+			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"));
+	return http.build();
+}
+----