Add WebFlux

Fixes gh-4128

config/spring-security-config.gradle

@@ -15,6 +15,7 @@ dependencies {
 	optional project(':spring-security-oauth2-client')
 	optional project(':spring-security-openid')
 	optional project(':spring-security-web')
+	optional project(':spring-security-webflux')
 	optional 'org.aspectj:aspectjweaver'
 	optional 'org.springframework:spring-jdbc'
 	optional 'org.springframework:spring-tx'
@@ -27,6 +28,7 @@ dependencies {
 	testCompile project(':spring-security-aspects')
 	testCompile project(':spring-security-cas')
 	testCompile project(path : ':spring-security-core', configuration : 'tests')
+	testCompile project(path : ':spring-security-webflux', configuration : 'tests')
 	testCompile apachedsDependencies
 	testCompile powerMockDependencies
 	testCompile spockDependencies

config/src/main/java/org/springframework/security/config/web/server/AbstractServerWebExchangeMatcherRegistry.java

@@ -0,0 +1,120 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.web.server;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
+
+import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.*;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+abstract class AbstractServerWebExchangeMatcherRegistry<T> {
+
+	/**
+	 * Maps any request.
+	 *
+	 * @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
+	 */
+	public T anyExchange() {
+		return matcher(ServerWebExchangeMatchers.anyExchange());
+	}
+
+	/**
+	 * Maps a {@link List} of
+	 * {@link org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher}
+	 * instances.
+	 *
+	 * @param method the {@link HttpMethod} to use for any
+	 * {@link HttpMethod}.
+	 *
+	 * @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
+	 */
+	public T antMatchers(HttpMethod method) {
+		return antMatchers(method, new String[] { "/**" });
+	}
+
+	/**
+	 * Maps a {@link List} of
+	 * {@link org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher}
+	 * instances.
+	 *
+	 * @param method the {@link HttpMethod} to use or {@code null} for any
+	 * {@link HttpMethod}.
+	 * @param antPatterns the ant patterns to create. If {@code null} or empty, then matches on nothing.
+	 * {@link org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher} from
+	 *
+	 * @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
+	 */
+	public T antMatchers(HttpMethod method, String... antPatterns) {
+		return matcher(ServerWebExchangeMatchers.antMatchers(method, antPatterns));
+	}
+
+	/**
+	 * Maps a {@link List} of
+	 * {@link org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher}
+	 * instances that do not care which {@link HttpMethod} is used.
+	 *
+	 * @param antPatterns the ant patterns to create
+	 * {@link org.springframework.security.web.server.util.matcher.PathMatcherServerWebExchangeMatcher} from
+	 *
+	 * @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
+	 */
+	public T antMatchers(String... antPatterns) {
+		return matcher(ServerWebExchangeMatchers.antMatchers(antPatterns));
+	}
+
+	/**
+	 * Associates a list of {@link ServerWebExchangeMatcher} instances
+	 *
+	 * @param matchers the {@link ServerWebExchangeMatcher} instances
+	 *
+	 * @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
+	 */
+	public T matchers(ServerWebExchangeMatcher... matchers) {
+		return registerMatcher(new OrServerWebExchangeMatcher(matchers));
+	}
+
+	/**
+	 * Subclasses should implement this method for returning the object that is chained to
+	 * the creation of the {@link ServerWebExchangeMatcher} instances.
+	 *
+	 * @param matcher the {@link ServerWebExchangeMatcher} instances that were created
+	 * @return the chained Object for the subclass which allows association of something
+	 * else to the {@link ServerWebExchangeMatcher}
+	 */
+	protected abstract T registerMatcher(ServerWebExchangeMatcher matcher);
+
+	/**
+	 * Associates a {@link ServerWebExchangeMatcher} instances
+	 *
+	 * @param matcher the {@link ServerWebExchangeMatcher} instance
+	 *
+	 * @return the object that is chained after creating the {@link ServerWebExchangeMatcher}
+	 */
+	private T matcher(ServerWebExchangeMatcher matcher) {
+		return registerMatcher(matcher);
+	}
+}

config/src/main/java/org/springframework/security/config/web/server/AuthorizeExchangeBuilder.java

@@ -0,0 +1,91 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.web.server;
+
+import org.springframework.security.authorization.AuthenticatedAuthorizationManager;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.web.server.authorization.AuthorizationContext;
+import org.springframework.security.authorization.ReactiveAuthorizationManager;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
+import org.springframework.security.web.server.authorization.AuthorizationWebFilter;
+import org.springframework.security.web.server.authorization.DelegatingReactiveAuthorizationManager;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
+import org.springframework.web.server.WebFilter;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class AuthorizeExchangeBuilder extends AbstractServerWebExchangeMatcherRegistry<AuthorizeExchangeBuilder.Access> {
+	private DelegatingReactiveAuthorizationManager.Builder managerBldr = DelegatingReactiveAuthorizationManager.builder();
+	private ServerWebExchangeMatcher matcher;
+	private boolean anyExchangeRegistered;
+
+	@Override
+	public Access anyExchange() {
+		Access result = super.anyExchange();
+		anyExchangeRegistered = true;
+		return result;
+	}
+
+	@Override
+	protected Access registerMatcher(ServerWebExchangeMatcher matcher) {
+		if(anyExchangeRegistered) {
+			throw new IllegalStateException("Cannot register " + matcher + " which would be unreachable because anyExchange() has already been registered.");
+		}
+		if(this.matcher != null) {
+			throw new IllegalStateException("The matcher " + matcher + " does not have an access rule defined");
+		}
+		this.matcher = matcher;
+		return new Access();
+	}
+
+	public WebFilter build() {
+		if(this.matcher != null) {
+			throw new IllegalStateException("The matcher " + matcher + " does not have an access rule defined");
+		}
+		return new AuthorizationWebFilter(managerBldr.build());
+	}
+
+	public final class Access {
+
+		public void permitAll() {
+			access( (a,e) -> Mono.just(new AuthorizationDecision(true)));
+		}
+
+		public void denyAll() {
+			access( (a,e) -> Mono.just(new AuthorizationDecision(false)));
+		}
+
+		public void hasRole(String role) {
+			access(AuthorityAuthorizationManager.hasRole(role));
+		}
+
+		public void hasAuthority(String authority) {
+			access(AuthorityAuthorizationManager.hasAuthority(authority));
+		}
+
+		public void authenticated() {
+			access(AuthenticatedAuthorizationManager.authenticated());
+		}
+
+		public void access(ReactiveAuthorizationManager<AuthorizationContext> manager) {
+			managerBldr.add(matcher, manager);
+			matcher = null;
+		}
+	}
+}

config/src/main/java/org/springframework/security/config/web/server/HeaderBuilder.java

@@ -0,0 +1,128 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.web.server;
+
+import org.springframework.security.web.server.header.CacheControlHttpHeadersWriter;
+import org.springframework.security.web.server.header.CompositeHttpHeadersWriter;
+import org.springframework.security.web.server.header.ContentTypeOptionsHttpHeadersWriter;
+import org.springframework.security.web.server.header.HttpHeaderWriterWebFilter;
+import org.springframework.security.web.server.header.HttpHeadersWriter;
+import org.springframework.security.web.server.header.StrictTransportSecurityHttpHeadersWriter;
+import org.springframework.security.web.server.header.XFrameOptionsHttpHeadersWriter;
+import org.springframework.security.web.server.header.XXssProtectionHttpHeadersWriter;
+
+import java.time.Duration;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class HeaderBuilder {
+	private final List<HttpHeadersWriter> writers;
+
+	private CacheControlHttpHeadersWriter cacheControl = new CacheControlHttpHeadersWriter();
+
+	private ContentTypeOptionsHttpHeadersWriter contentTypeOptions = new ContentTypeOptionsHttpHeadersWriter();
+
+	private StrictTransportSecurityHttpHeadersWriter hsts = new StrictTransportSecurityHttpHeadersWriter();
+
+	private XFrameOptionsHttpHeadersWriter frameOptions = new XFrameOptionsHttpHeadersWriter();
+
+	private XXssProtectionHttpHeadersWriter xss = new XXssProtectionHttpHeadersWriter();
+
+	public HeaderBuilder() {
+		this.writers = new ArrayList<>(Arrays.asList(cacheControl, contentTypeOptions, hsts, frameOptions, xss));
+	}
+
+	public CacheSpec cache() {
+		return new CacheSpec();
+	}
+
+	public ContentTypeOptionsSpec contentTypeOptions() {
+		return new ContentTypeOptionsSpec();
+	}
+
+	public FrameOptionsSpec frameOptions() {
+		return new FrameOptionsSpec();
+	}
+
+	public HstsSpec hsts() {
+		return new HstsSpec();
+	}
+
+	public HttpHeaderWriterWebFilter build() {
+		HttpHeadersWriter writer = new CompositeHttpHeadersWriter(writers);
+		return new HttpHeaderWriterWebFilter(writer);
+	}
+
+	public XssProtectionSpec xssProtection() {
+		return new XssProtectionSpec();
+	}
+
+	public class CacheSpec {
+		public void disable() {
+			writers.remove(cacheControl);
+		}
+
+		private CacheSpec() {}
+	}
+
+	public class ContentTypeOptionsSpec {
+		public void disable() {
+			writers.remove(contentTypeOptions);
+		}
+
+		private ContentTypeOptionsSpec() {}
+	}
+
+	public class FrameOptionsSpec {
+		public void mode(XFrameOptionsHttpHeadersWriter.Mode mode) {
+			frameOptions.setMode(mode);
+		}
+		public void disable() {
+			writers.remove(frameOptions);
+		}
+
+		private FrameOptionsSpec() {}
+	}
+
+	public class HstsSpec {
+		public void maxAge(Duration maxAge) {
+			hsts.setMaxAge(maxAge);
+		}
+
+		public void includeSubdomains(boolean includeSubDomains) {
+			hsts.setIncludeSubDomains(includeSubDomains);
+		}
+
+		public void disable() {
+			writers.remove(hsts);
+		}
+
+		private HstsSpec() {}
+	}
+
+	public class XssProtectionSpec {
+		public void disable() {
+			writers.remove(xss);
+		}
+
+		private XssProtectionSpec() {}
+	}
+}

config/src/main/java/org/springframework/security/config/web/server/HttpBasicBuilder.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2002-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.web.server;
+
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.web.server.AuthenticationEntryPoint;
+import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
+import org.springframework.security.web.server.HttpBasicAuthenticationConverter;
+import org.springframework.security.web.server.authentication.DefaultAuthenticationSuccessHandler;
+import org.springframework.security.web.server.authentication.www.HttpBasicAuthenticationEntryPoint;
+import org.springframework.security.web.server.context.SecurityContextRepository;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class HttpBasicBuilder {
+	private ReactiveAuthenticationManager authenticationManager;
+
+	private SecurityContextRepository securityContextRepository;
+
+	private AuthenticationEntryPoint entryPoint = new HttpBasicAuthenticationEntryPoint();
+
+	public HttpBasicBuilder authenticationManager(ReactiveAuthenticationManager authenticationManager) {
+		this.authenticationManager = authenticationManager;
+		return this;
+	}
+
+	public HttpBasicBuilder securityContextRepository(SecurityContextRepository securityContextRepository) {
+		this.securityContextRepository = securityContextRepository;
+		return this;
+	}
+
+	public AuthenticationWebFilter build() {
+		AuthenticationWebFilter authenticationFilter = new AuthenticationWebFilter(authenticationManager);
+		authenticationFilter.setEntryPoint(entryPoint);
+		authenticationFilter.setAuthenticationConverter(new HttpBasicAuthenticationConverter());
+		if(securityContextRepository != null) {
+			DefaultAuthenticationSuccessHandler handler = new DefaultAuthenticationSuccessHandler();
+			handler.setSecurityContextRepository(securityContextRepository);
+			authenticationFilter.setAuthenticationSuccessHandler(handler);
+		}
+		return authenticationFilter;
+	}
+}

config/src/main/java/org/springframework/security/config/web/server/HttpSecurity.java

@@ -0,0 +1,101 @@
+/*
+ * Copyright 2002-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.web.server;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.web.server.context.SecurityContextRepositoryWebFilter;
+import org.springframework.security.web.server.WebFilterChainFilter;
+import org.springframework.security.web.server.authorization.ExceptionTranslationWebFilter;
+import org.springframework.security.web.server.context.SecurityContextRepository;
+import org.springframework.util.Assert;
+import org.springframework.web.server.WebFilter;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class HttpSecurity {
+	private AuthorizeExchangeBuilder authorizeExchangeBuilder;
+
+	private HeaderBuilder headers = new HeaderBuilder();
+	private HttpBasicBuilder httpBasic;
+	private ReactiveAuthenticationManager authenticationManager;
+
+	private Optional<SecurityContextRepository> securityContextRepository = Optional.empty();
+
+	public HttpSecurity securityContextRepository(SecurityContextRepository securityContextRepository) {
+		Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
+		this.securityContextRepository = Optional.of(securityContextRepository);
+		return this;
+	}
+
+	public HttpBasicBuilder httpBasic() {
+		if(httpBasic == null) {
+			httpBasic = new HttpBasicBuilder();
+		}
+		return httpBasic;
+	}
+
+	public HeaderBuilder headers() {
+		return headers;
+	}
+
+	public AuthorizeExchangeBuilder authorizeExchange() {
+		if(authorizeExchangeBuilder == null) {
+			authorizeExchangeBuilder = new AuthorizeExchangeBuilder();
+		}
+		return authorizeExchangeBuilder;
+	}
+
+	public HttpSecurity authenticationManager(ReactiveAuthenticationManager manager) {
+		this.authenticationManager = manager;
+		return this;
+	}
+
+	public WebFilter build() {
+		List<WebFilter> filters = new ArrayList<>();
+		if(headers != null) {
+			filters.add(headers.build());
+		}
+		securityContextRepositoryWebFilter().ifPresent( f-> filters.add(f));
+		if(httpBasic != null) {
+			httpBasic.authenticationManager(authenticationManager);
+			securityContextRepository.ifPresent( scr -> httpBasic.securityContextRepository(scr)) ;
+			filters.add(httpBasic.build());
+		}
+		if(authorizeExchangeBuilder != null) {
+			filters.add(new ExceptionTranslationWebFilter());
+			filters.add(authorizeExchangeBuilder.build());
+		}
+		return new WebFilterChainFilter(filters);
+	}
+
+	public static HttpSecurity http() {
+		return new HttpSecurity();
+	}
+
+	private Optional<SecurityContextRepositoryWebFilter> securityContextRepositoryWebFilter() {
+		return securityContextRepository
+			.flatMap( r -> Optional.of(new SecurityContextRepositoryWebFilter(r)));
+	}
+
+
+	private HttpSecurity() {}
+}

config/src/test/java/org/springframework/security/config/web/server/AuthorizeExchangeBuilderTests.java

@@ -0,0 +1,112 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.config.web.server;
+
+import org.junit.Test;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
+import org.springframework.security.web.server.authorization.ExceptionTranslationWebFilter;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class AuthorizeExchangeBuilderTests {
+	AuthorizeExchangeBuilder authorization = new AuthorizeExchangeBuilder();
+
+	@Test
+	public void antMatchersWhenMethodAndPatternsThenDiscriminatesByMethod() {
+		authorization.antMatchers(HttpMethod.POST, "/a", "/b").denyAll();
+		authorization.anyExchange().permitAll();
+
+		WebTestClient client = buildClient();
+
+		client.get()
+			.uri("/a")
+			.exchange()
+			.expectStatus().isOk();
+
+		client.get()
+			.uri("/b")
+			.exchange()
+			.expectStatus().isOk();
+
+		client.post()
+			.uri("/a")
+			.exchange()
+			.expectStatus().isUnauthorized();
+
+		client.post()
+			.uri("/b")
+			.exchange()
+			.expectStatus().isUnauthorized();
+	}
+
+
+	@Test
+	public void antMatchersWhenPatternsThenAnyMethod() {
+		authorization.antMatchers("/a", "/b").denyAll();
+		authorization.anyExchange().permitAll();
+
+		WebTestClient client = buildClient();
+
+		client.get()
+			.uri("/a")
+			.exchange()
+			.expectStatus().isUnauthorized();
+
+		client.get()
+			.uri("/b")
+			.exchange()
+			.expectStatus().isUnauthorized();
+
+		client.post()
+			.uri("/a")
+			.exchange()
+			.expectStatus().isUnauthorized();
+
+		client.post()
+			.uri("/b")
+			.exchange()
+			.expectStatus().isUnauthorized();
+	}
+
+	@Test(expected = IllegalStateException.class)
+	public void antMatchersWhenNoAccessAndAnotherMatcherThenThrowsException() {
+		authorization.antMatchers("/incomplete");
+		authorization.antMatchers("/throws-exception");
+	}
+
+	@Test(expected = IllegalStateException.class)
+	public void anyExchangeWhenFollowedByMatcherThenThrowsException() {
+		authorization.anyExchange().denyAll();
+		authorization.antMatchers("/never-reached");
+	}
+
+	@Test(expected = IllegalStateException.class)
+	public void buildWhenMatcherDefinedWithNoAccessThenThrowsException() {
+		authorization.antMatchers("/incomplete");
+		authorization.build();
+	}
+
+	private WebTestClient buildClient() {
+		return WebTestClientBuilder.bindToWebFilters(new ExceptionTranslationWebFilter(), authorization.build()).build();
+	}
+}

config/src/test/java/org/springframework/security/config/web/server/HeaderBuilderTests.java

@@ -0,0 +1,144 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.config.web.server;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
+import org.springframework.security.web.server.header.ContentTypeOptionsHttpHeadersWriter;
+import org.springframework.security.web.server.header.StrictTransportSecurityHttpHeadersWriter;
+import org.springframework.security.web.server.header.XFrameOptionsHttpHeadersWriter;
+import org.springframework.security.web.server.header.XXssProtectionHttpHeadersWriter;
+import org.springframework.test.web.reactive.server.FluxExchangeResult;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+import java.time.Duration;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class HeaderBuilderTests {
+	HeaderBuilder headers = new HeaderBuilder();
+
+	HttpHeaders expectedHeaders = new HttpHeaders();
+
+	Set<String> ignoredHeaderNames = Collections.singleton(HttpHeaders.CONTENT_TYPE);
+
+	@Before
+	public void setup() {
+		expectedHeaders.add(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY, "max-age=31536000 ; includeSubDomains");
+		expectedHeaders.add(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, max-age=0, must-revalidate");
+		expectedHeaders.add(HttpHeaders.PRAGMA, "no-cache");
+		expectedHeaders.add(HttpHeaders.EXPIRES, "0");
+		expectedHeaders.add(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS, "nosniff");
+		expectedHeaders.add(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS, "DENY");
+		expectedHeaders.add(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION, "1 ; mode=block");
+	}
+
+	@Test
+	public void headersWhenDefaultsThenAllDefaultsWritten() {
+		assertHeaders();
+	}
+
+	@Test
+	public void headersWhenCacheDisableThenCacheNotWritten() {
+		expectedHeaders.remove(HttpHeaders.CACHE_CONTROL);
+		expectedHeaders.remove(HttpHeaders.PRAGMA);
+		expectedHeaders.remove(HttpHeaders.EXPIRES);
+		headers.cache().disable();
+
+		assertHeaders();
+	}
+
+	@Test
+	public void headersWhenContentOptionsDisableThenContentTypeOptionsNotWritten() {
+		expectedHeaders.remove(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS);
+		headers.contentTypeOptions().disable();
+
+		assertHeaders();
+	}
+
+	@Test
+	public void headersWhenHstsDisableThenHstsNotWritten() {
+		expectedHeaders.remove(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY);
+		headers.hsts().disable();
+
+		assertHeaders();
+	}
+
+	@Test
+	public void headersWhenHstsCustomThenCustomHstsWritten() {
+		expectedHeaders.remove(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY);
+		expectedHeaders.add(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY, "max-age=60");
+		headers.hsts().maxAge(Duration.ofSeconds(60));
+		headers.hsts().includeSubdomains(false);
+
+		assertHeaders();
+	}
+
+	@Test
+	public void headersWhenFrameOptionsDisableThenFrameOptionsNotWritten() {
+		expectedHeaders.remove(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS);
+		headers.frameOptions().disable();
+
+		assertHeaders();
+	}
+
+	@Test
+	public void headersWhenFrameOptionsModeThenFrameOptionsCustomMode() {
+		expectedHeaders.remove(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS);
+		expectedHeaders.add(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS, "SAMEORIGIN");
+		headers.frameOptions().mode(XFrameOptionsHttpHeadersWriter.Mode.SAMEORIGIN);
+
+		assertHeaders();
+	}
+
+	@Test
+	public void headersWhenXssProtectionDisableThenXssProtectionNotWritten() {
+		expectedHeaders.remove("X-Xss-Protection");
+		headers.xssProtection().disable();
+
+		assertHeaders();
+	}
+
+	private void assertHeaders() {
+		WebTestClient client = buildClient();
+		FluxExchangeResult<String> response = client.get()
+			.uri("https://example.com/")
+			.exchange()
+			.returnResult(String.class);
+
+		Map<String,List<String>> responseHeaders = response.getResponseHeaders();
+		ignoredHeaderNames.stream().forEach(responseHeaders::remove);
+
+		assertThat(responseHeaders).describedAs(response.toString()).isEqualTo(expectedHeaders);
+	}
+
+	private WebTestClient buildClient() {
+		return WebTestClientBuilder.bindToWebFilters(headers.build()).build();
+	}
+}

config/src/test/java/org/springframework/security/config/web/server/HttpSecurityTests.java

@@ -0,0 +1,107 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.config.web.server;
+
+import org.apache.http.HttpHeaders;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
+import org.springframework.security.web.server.context.SecurityContextRepository;
+import org.springframework.security.web.server.context.WebSessionSecurityContextRepository;
+import org.springframework.test.web.reactive.server.EntityExchangeResult;
+import org.springframework.test.web.reactive.server.FluxExchangeResult;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.web.server.WebSession;
+import reactor.core.publisher.Mono;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class HttpSecurityTests {
+	@Mock
+	SecurityContextRepository contextRepository;
+	@Mock
+	ReactiveAuthenticationManager authenticationManager;
+
+	HttpSecurity http;
+
+	@Before
+	public void setup() {
+		http = HttpSecurity.http();
+	}
+
+	@Test
+	public void defaults() {
+		http.securityContextRepository(this.contextRepository);
+
+		WebTestClient client = buildClient();
+
+		FluxExchangeResult<String> result = client.get()
+			.uri("/")
+			.exchange()
+			.expectHeader().valueMatches(HttpHeaders.CACHE_CONTROL, ".+")
+			.returnResult(String.class);
+
+		assertThat(result.getResponseCookies()).isEmpty();
+		// there is no need to try and load the SecurityContext by default
+		verifyZeroInteractions(contextRepository);
+	}
+
+	@Test
+	public void basic() {
+		given(this.authenticationManager.authenticate(any())).willReturn(Mono.just(new TestingAuthenticationToken("rob", "rob", "ROLE_USER", "ROLE_ADMIN")));
+
+		http.securityContextRepository(new WebSessionSecurityContextRepository());
+		http.httpBasic();
+		http.authenticationManager(authenticationManager);
+		AuthorizeExchangeBuilder authorize = http.authorizeExchange();
+		authorize.anyExchange().authenticated();
+
+		WebTestClient client = buildClient();
+
+		EntityExchangeResult<byte[]> result = client
+			.filter(basicAuthentication("rob", "rob"))
+			.get()
+			.uri("/")
+			.exchange()
+			.expectStatus().isOk()
+			.expectHeader().valueMatches(HttpHeaders.CACHE_CONTROL, ".+")
+			.expectBody().consumeAsStringWith( b-> assertThat(b).isEqualTo("ok"))
+			.returnResult();
+
+		assertThat(result.getResponseCookies().getFirst("SESSION")).isNotNull();
+	}
+
+	private WebTestClient buildClient() {
+		return WebTestClientBuilder.bindToWebFilters(http.build()).build();
+	}
+}

core/spring-security-core.gradle

@@ -18,6 +18,7 @@ dependencies {
 	included includeProject
 
 	optional 'com.fasterxml.jackson.core:jackson-databind'
+	optional 'io.projectreactor:reactor-core'
 	optional 'javax.annotation:jsr250-api'
 	optional 'net.sf.ehcache:ehcache'
 	optional 'org.aspectj:aspectjrt'
@@ -26,6 +27,7 @@ dependencies {
 
 	testCompile powerMockDependencies
 	testCompile 'commons-collections:commons-collections'
+	testCompile 'io.projectreactor.addons:reactor-test'
 	testCompile 'org.skyscreamer:jsonassert'
 	testCompile 'org.slf4j:jcl-over-slf4j'
 	testCompile 'org.springframework:spring-test'

core/src/main/java/org/springframework/security/authentication/MapUserDetailsRepository.java

@@ -0,0 +1,55 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.authentication;
+
+import java.util.Collection;
+import java.util.Map;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import org.springframework.util.Assert;
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class MapUserDetailsRepository implements UserDetailsRepository {
+	private final Map<String,UserDetails> users;
+
+	public MapUserDetailsRepository(Collection<UserDetails> users) {
+		Assert.notEmpty(users, "users cannot be null or empty");
+		this.users = users.stream().collect(Collectors.toMap( u -> getKey(u.getName()), Function.identity()));
+	}
+
+	@Override
+	public Mono<UserDetails> findByUsername(String username) {
+		String key = getKey(username);
+		UserDetails result = users.get(key);
+		return result == null ? Mono.empty() : Mono.just(User.withUserDetails(result).build());
+	}
+
+	private String getKey(String username) {
+		return username.toLowerCase();
+	}
+}

core/src/main/java/org/springframework/security/authentication/ReactiveAuthenticationManager.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authentication;
+
+import org.springframework.security.core.Authentication;
+
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public interface ReactiveAuthenticationManager {
+
+	Mono<Authentication> authenticate(Authentication authentication);
+}

core/src/main/java/org/springframework/security/authentication/ReactiveAuthenticationManagerAdapter.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2002-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authentication;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
+import reactor.core.publisher.Mono;
+import reactor.core.scheduler.Schedulers;
+
+/**
+ * Adapts an AuthenticationManager to the reactive APIs. This is somewhat necessary because many of the ways that
+ * credentials are stored (i.e.  JDBC, LDAP, etc) do not have reactive implementations. What's more is it is generally
+ * considered best practice to store passwords in a hash that is intentionally slow which would block ever request
+ * from coming in unless it was put on another thread.
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class ReactiveAuthenticationManagerAdapter implements ReactiveAuthenticationManager {
+	private final AuthenticationManager authenticationManager;
+
+	public ReactiveAuthenticationManagerAdapter(AuthenticationManager authenticationManager) {
+		Assert.notNull(authenticationManager, "authenticationManager cannot be null");
+		this.authenticationManager = authenticationManager;
+	}
+
+	@Override
+	public Mono<Authentication> authenticate(Authentication token) {
+		return Mono.just(token)
+			.publishOn(Schedulers.elastic())
+			.flatMap( t -> {
+				try {
+					return Mono.just(authenticationManager.authenticate(t));
+				} catch(Throwable error) {
+					return Mono.error(error);
+				}
+			})
+			.filter( a -> a.isAuthenticated());
+	}
+}

core/src/main/java/org/springframework/security/authentication/UserDetailsRepository.java

@@ -0,0 +1,10 @@
+package org.springframework.security.authentication;
+
+import org.springframework.security.core.userdetails.UserDetails;
+
+import reactor.core.publisher.Mono;
+
+public interface UserDetailsRepository {
+
+	Mono<UserDetails> findByUsername(String username);
+}

core/src/main/java/org/springframework/security/authentication/UserDetailsRepositoryAuthenticationManager.java

@@ -0,0 +1,47 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.authentication;
+
+import org.springframework.security.core.Authentication;
+
+import org.springframework.util.Assert;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class UserDetailsRepositoryAuthenticationManager implements ReactiveAuthenticationManager {
+	private final UserDetailsRepository repository;
+
+	public UserDetailsRepositoryAuthenticationManager(UserDetailsRepository userDetailsRepository) {
+		Assert.notNull(userDetailsRepository, "userDetailsRepository cannot be null");
+		this.repository = userDetailsRepository;
+	}
+
+	@Override
+	public Mono<Authentication> authenticate(Authentication authentication) {
+		final String username = authentication.getName();
+		return repository
+				.findByUsername(username)
+				.filter( u -> u.getPassword().equals(authentication.getCredentials()))
+				.switchIfEmpty(  Mono.error(new BadCredentialsException("Invalid Credentials")) )
+				.map( u -> new UsernamePasswordAuthenticationToken(u, u.getPassword(), u.getAuthorities()) );
+	}
+}

core/src/main/java/org/springframework/security/authorization/AuthenticatedAuthorizationManager.java

@@ -0,0 +1,42 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.authorization;
+
+import org.springframework.security.core.Authentication;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class AuthenticatedAuthorizationManager<T> implements ReactiveAuthorizationManager<T> {
+
+	@Override
+	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
+		return authentication
+			.map(a -> new AuthorizationDecision(a.isAuthenticated()))
+			.defaultIfEmpty(new AuthorizationDecision(false));
+	}
+
+	public static <T> AuthenticatedAuthorizationManager<T> authenticated() {
+		return new AuthenticatedAuthorizationManager<>();
+	}
+
+	private AuthenticatedAuthorizationManager() {}
+}

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java

@@ -0,0 +1,56 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.authorization;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class AuthorityAuthorizationManager<T> implements ReactiveAuthorizationManager<T> {
+	private final String authority;
+
+	private AuthorityAuthorizationManager(String authority) {
+		this.authority = authority;
+	}
+
+	@Override
+	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
+		return authentication
+			.filter(a -> a.isAuthenticated())
+			.flatMapIterable( a -> a.getAuthorities())
+			.map( g-> g.getAuthority())
+			.hasElement(this.authority)
+			.map( hasAuthority -> new AuthorizationDecision(hasAuthority))
+			.defaultIfEmpty(new AuthorizationDecision(false));
+	}
+
+	public static <T> AuthorityAuthorizationManager<T> hasAuthority(String authority) {
+		Assert.notNull(authority, "authority cannot be null");
+		return new AuthorityAuthorizationManager<>(authority);
+	}
+
+	public static <T> AuthorityAuthorizationManager<T> hasRole(String role) {
+		Assert.notNull(role, "role cannot be null");
+		return hasAuthority("ROLE_" + role);
+	}
+}

core/src/main/java/org/springframework/security/authorization/AuthorizationDecision.java

@@ -0,0 +1,35 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.authorization;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class AuthorizationDecision {
+	private final boolean granted;
+
+	public AuthorizationDecision(boolean granted) {
+		this.granted = granted;
+	}
+
+	public boolean isGranted() {
+		return granted;
+	}
+}

core/src/main/java/org/springframework/security/authorization/ReactiveAuthorizationManager.java

@@ -0,0 +1,39 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.authorization;
+
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.Authentication;
+
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public interface ReactiveAuthorizationManager<T> {
+	Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object);
+
+	default Mono<Void> verify(Mono<Authentication> authentication, T object) {
+		return check(authentication, object)
+			.filter( d -> d.isGranted())
+			.switchIfEmpty( Mono.error(new AccessDeniedException("Access Denied")) )
+			.flatMap( d -> Mono.empty() );
+	}
+}

core/src/test/java/org/springframework/security/authentication/MapUserDetailsRepositoryTests.java

@@ -0,0 +1,76 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authentication;
+
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+
+import org.junit.Test;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import reactor.core.publisher.Mono;
+
+public class MapUserDetailsRepositoryTests {
+	private static final UserDetails USER_DETAILS = User.withUsername("user")
+			.password("password")
+			.roles("USER")
+			.build();
+
+	private MapUserDetailsRepository users = new MapUserDetailsRepository(Arrays.asList(USER_DETAILS));
+
+	@Test(expected = IllegalArgumentException.class)
+	public void constructorNullUsers() {
+		Collection<UserDetails> users = null;
+		new MapUserDetailsRepository(users);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void constructorEmptyUsers() {
+		Collection<UserDetails> users = Collections.emptyList();
+		new MapUserDetailsRepository(users);
+	}
+
+	@Test
+	public void findByUsernameWhenFoundThenReturns() {
+		assertThat((users.findByUsername(USER_DETAILS.getUsername()).block())).isEqualTo(USER_DETAILS);
+	}
+
+	@Test
+	public void findByUsernameWhenDifferentCaseThenReturns() {
+		assertThat((users.findByUsername("uSeR").block())).isEqualTo(USER_DETAILS);
+	}
+
+	@Test
+	public void findByUsernameWhenClearCredentialsThenFindByUsernameStillHasCredentials() {
+		User foundUser = users.findByUsername(USER_DETAILS.getUsername()).cast(User.class).block();
+		assertThat(foundUser.getPassword()).isNotEmpty();
+		foundUser.eraseCredentials();
+		assertThat(foundUser.getPassword()).isNull();
+
+		foundUser = users.findByUsername(USER_DETAILS.getUsername()).cast(User.class).block();
+		assertThat(foundUser.getPassword()).isNotEmpty();
+	}
+
+	@Test
+	public void findByUsernameWhenNotFoundThenEmpty() {
+		assertThat((users.findByUsername("notfound"))).isEqualTo(Mono.empty());
+	}
+}

core/src/test/java/org/springframework/security/authentication/ReactiveAuthenticationManagerAdapterTests.java

@@ -0,0 +1,89 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.authentication;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.core.Authentication;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.when;
+
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class ReactiveAuthenticationManagerAdapterTests {
+	@Mock
+	AuthenticationManager delegate;
+	@Mock
+	Authentication authentication;
+
+	ReactiveAuthenticationManagerAdapter manager;
+
+	@Before
+	public void setup() {
+		manager = new ReactiveAuthenticationManagerAdapter(delegate);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void constructorNullAuthenticationManager() {
+		new ReactiveAuthenticationManagerAdapter(null);
+	}
+
+	@Test
+	public void authenticateWhenSuccessThenSucces() {
+		when(delegate.authenticate(any())).thenReturn(authentication);
+		when(authentication.isAuthenticated()).thenReturn(true);
+
+		Authentication result = manager.authenticate(authentication).block();
+
+		assertThat(result).isEqualTo(authentication);
+	}
+
+	@Test
+	public void authenticateWhenReturnNotAuthenticatedThenError() {
+		when(delegate.authenticate(any())).thenReturn(authentication);
+
+		Authentication result = manager.authenticate(authentication).block();
+
+		assertThat(result).isNull();
+	}
+
+	@Test
+	public void authenticateWhenBadCredentialsThenError() {
+		when(delegate.authenticate(any())).thenThrow(new BadCredentialsException("Failed"));
+		when(authentication.isAuthenticated()).thenReturn(true);
+
+		Mono<Authentication> result = manager.authenticate(authentication);
+
+		StepVerifier.create(result)
+			.expectError(BadCredentialsException.class)
+			.verify();
+	}
+}

core/src/test/java/org/springframework/security/authentication/UserDetailsRepositoryAuthenticationManagerTests.java

@@ -0,0 +1,96 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.authentication;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.when;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
+
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class UserDetailsRepositoryAuthenticationManagerTests {
+	@Mock
+	UserDetailsRepository repository;
+	UserDetailsRepositoryAuthenticationManager manager;
+	String username;
+	String password;
+
+	@Before
+	public void setup() {
+		manager = new UserDetailsRepositoryAuthenticationManager(repository);
+		username = "user";
+		password = "pass";
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void constructorNullUserDetailsRepository() {
+		UserDetailsRepository udr = null;
+		new UserDetailsRepositoryAuthenticationManager(udr);
+	}
+
+	@Test
+	public void authenticateWhenUserNotFoundThenBadCredentials() {
+		when(repository.findByUsername(username)).thenReturn(Mono.empty());
+
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
+		Mono<Authentication> authentication = manager.authenticate(token);
+
+		StepVerifier
+			.create(authentication)
+			.expectError(BadCredentialsException.class)
+			.verify();
+	}
+
+	@Test
+	public void authenticateWhenPasswordNotEqualThenBadCredentials() {
+		User user = new User(username, password, AuthorityUtils.createAuthorityList("ROLE_USER"));
+		when(repository.findByUsername(user.getUsername())).thenReturn(Mono.just(user));
+
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password + "INVALID");
+		Mono<Authentication> authentication = manager.authenticate(token);
+
+		StepVerifier
+			.create(authentication)
+			.expectError(BadCredentialsException.class)
+			.verify();
+	}
+
+	@Test
+	public void authenticateWhenSuccessThenSuccess() {
+		User user = new User(username, password, AuthorityUtils.createAuthorityList("ROLE_USER"));
+		when(repository.findByUsername(user.getUsername())).thenReturn(Mono.just(user));
+
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
+		Authentication authentication = manager.authenticate(token).block();
+
+		assertThat(authentication).isEqualTo(authentication);
+	}
+
+}

core/src/test/java/org/springframework/security/authorization/AuthenticatedAuthorizationManagerTests.java

@@ -0,0 +1,77 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.authorization;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.security.core.Authentication;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.when;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class AuthenticatedAuthorizationManagerTests {
+	@Mock
+	Authentication authentication;
+
+	AuthenticatedAuthorizationManager<Object> manager = AuthenticatedAuthorizationManager.authenticated();
+
+	@Test
+	public void checkWhenAuthenticatedThenReturnTrue() {
+		when(authentication.isAuthenticated()).thenReturn(true);
+
+		boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
+
+		assertThat(granted).isTrue();
+	}
+
+	@Test
+	public void checkWhenNotAuthenticatedThenReturnFalse() {
+		boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
+
+		assertThat(granted).isFalse();
+	}
+
+	@Test
+	public void checkWhenEmptyThenReturnFalse() {
+		boolean granted = manager.check(Mono.empty(), null).block().isGranted();
+
+		assertThat(granted).isFalse();
+	}
+
+
+	@Test
+	public void checkWhenErrorThenError() {
+		Mono<AuthorizationDecision> result = manager.check(Mono.error(new RuntimeException("ooops")), null);
+
+		StepVerifier
+			.create(result)
+			.expectError()
+			.verify();
+	}
+}

core/src/test/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java

@@ -0,0 +1,133 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.authorization;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+import java.util.Collection;
+import java.util.Collections;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.when;
+import static org.springframework.security.core.authority.AuthorityUtils.createAuthorityList;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class AuthorityAuthorizationManagerTests {
+	@Mock
+	Authentication authentication;
+
+	AuthorityAuthorizationManager<Object> manager = AuthorityAuthorizationManager.hasAuthority("ADMIN");
+
+	@Test
+	public void checkWhenHasAuthorityAndNotAuthenticatedThenReturnFalse() {
+		boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
+
+		assertThat(granted).isFalse();
+	}
+
+	@Test
+	public void checkWhenHasAuthorityAndEmptyThenReturnFalse() {
+		boolean granted = manager.check(Mono.empty(), null).block().isGranted();
+
+		assertThat(granted).isFalse();
+	}
+
+	@Test
+	public void checkWhenHasAuthorityAndErrorThenError() {
+		Mono<AuthorizationDecision> result = manager.check(Mono.error(new RuntimeException("ooops")), null);
+
+		StepVerifier
+			.create(result)
+			.expectError()
+			.verify();
+	}
+
+	@Test
+	public void checkWhenHasAuthorityAndAuthenticatedAndNoAuthoritiesThenReturnFalse() {
+		when(authentication.isAuthenticated()).thenReturn(true);
+		when(authentication.getAuthorities()).thenReturn(Collections.emptyList());
+
+		boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
+
+		assertThat(granted).isFalse();
+	}
+
+	@Test
+	public void checkWhenHasAuthorityAndAuthenticatedAndWrongAuthoritiesThenReturnFalse() {
+		authentication = new TestingAuthenticationToken("rob", "secret", "ROLE_ADMIN");
+
+		boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
+
+		assertThat(granted).isFalse();
+	}
+
+	@Test
+	public void checkWhenHasAuthorityAndAuthorizedThenReturnTrue() {
+		authentication = new TestingAuthenticationToken("rob", "secret", "ADMIN");
+
+		boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
+
+		assertThat(granted).isTrue();
+	}
+
+	@Test
+	public void checkWhenHasRoleAndAuthorizedThenReturnTrue() {
+		manager = AuthorityAuthorizationManager.hasRole("ADMIN");
+		authentication = new TestingAuthenticationToken("rob", "secret", "ROLE_ADMIN");
+
+		boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
+
+		assertThat(granted).isTrue();
+	}
+
+	@Test
+	public void checkWhenHasRoleAndNotAuthorizedThenReturnTrue() {
+		manager = AuthorityAuthorizationManager.hasRole("ADMIN");
+		authentication = new TestingAuthenticationToken("rob", "secret", "ADMIN");
+
+		boolean granted = manager.check(Mono.just(authentication), null).block().isGranted();
+
+		assertThat(granted).isFalse();
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void hasRoleWhenNullThenException() {
+		String role = null;
+		AuthorityAuthorizationManager.hasRole(role);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void hasAuthorityWhenNullThenException() {
+		String authority = null;
+		AuthorityAuthorizationManager.hasAuthority(authority);
+	}
+}

gradle/dependency-management.gradle

@@ -1,6 +1,7 @@
 dependencyManagement {
 	dependencies {
 		dependency 'cglib:cglib-nodep:3.2.5'
+		dependency 'com.squareup.okhttp3:mockwebserver:3.7.0'
 		dependency 'opensymphony:sitemesh:2.4.2'
 		dependency 'org.gebish:geb-spock:0.10.0'
 		dependency 'org.jasig.cas:cas-server-webapp:4.0.0'
@@ -26,6 +27,7 @@ dependencyManagement {
 
 dependencyManagement {
 	imports {
+		mavenBom 'io.projectreactor:reactor-bom:Bismuth-M1'
 		mavenBom 'org.springframework.data:spring-data-releasetrain:Kay-M3'
 		mavenBom 'org.springframework:spring-framework-bom:5.0.0.RC1'
 	}

samples/javaconfig/hellowebflux/spring-security-samples-javaconfig-hellowebflux.gradle

@@ -0,0 +1,16 @@
+apply plugin: 'io.spring.convention.spring-sample'
+
+dependencies {
+	compile project(':spring-security-core')
+	compile project(':spring-security-config')
+	compile project(':spring-security-webflux')
+	compile 'com.fasterxml.jackson.core:jackson-databind'
+	compile 'io.netty:netty-buffer'
+	compile 'io.projectreactor.ipc:reactor-netty'
+	compile 'org.springframework:spring-context'
+	compile 'org.springframework:spring-webflux'
+
+	testCompile 'io.projectreactor.addons:reactor-test'
+	testCompile 'org.skyscreamer:jsonassert'
+	testCompile 'org.springframework:spring-test'
+}

samples/javaconfig/hellowebflux/src/integration-test/java/sample/SecurityTests.java

@@ -0,0 +1,221 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.web.server.header.ContentTypeOptionsHttpHeadersWriter;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.reactive.server.ExchangeResult;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
+
+import java.nio.charset.Charset;
+import java.time.Duration;
+import java.util.Base64;
+
+import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(SpringRunner.class)
+@ContextConfiguration(classes = Application.class)
+@TestPropertySource(properties = "server.port=0")
+public class SecurityTests {
+	@Value("#{@nettyContext.address().getPort()}")
+	int port;
+
+	WebTestClient rest;
+
+	@Before
+	public void setup() {
+		this.rest = WebTestClient.bindToServer()
+				.responseTimeout(Duration.ofDays(1))
+				.baseUrl("http://localhost:" + this.port)
+				.build();
+	}
+
+	@Test
+	public void basicRequired() throws Exception {
+		this.rest
+			.get()
+			.uri("/users")
+			.exchange()
+			.expectStatus().isUnauthorized();
+	}
+
+	@Test
+	public void basicWorks() throws Exception {
+		this.rest
+			.filter(robsCredentials())
+			.get()
+			.uri("/users")
+			.exchange()
+			.expectStatus().isOk()
+			.expectBody().json("[{\"id\":null,\"username\":\"rob\",\"password\":\"rob\",\"firstname\":\"Rob\",\"lastname\":\"Winch\"},{\"id\":null,\"username\":\"admin\",\"password\":\"admin\",\"firstname\":\"Admin\",\"lastname\":\"User\"}]");
+	}
+
+	@Test
+	public void basicWhenPasswordInvalid401() throws Exception {
+		this.rest
+			.filter(invalidPassword())
+			.get()
+			.uri("/users")
+			.exchange()
+			.expectStatus().isUnauthorized()
+			.expectBody().isEmpty();
+	}
+
+	@Test
+	public void authorizationAdmin403() throws Exception {
+		this.rest
+			.filter(robsCredentials())
+			.get()
+			.uri("/admin")
+			.exchange()
+			.expectStatus().isEqualTo(HttpStatus.FORBIDDEN)
+			.expectBody().isEmpty();
+	}
+
+	@Test
+	public void authorizationAdmin200() throws Exception {
+		this.rest
+			.filter(adminCredentials())
+			.get()
+			.uri("/admin")
+			.exchange()
+			.expectStatus().isOk();
+	}
+
+	@Test
+	public void basicMissingUser401() throws Exception {
+		this.rest
+			.filter(basicAuthentication("missing-user", "password"))
+			.get()
+			.uri("/admin")
+			.exchange()
+			.expectStatus().isUnauthorized();
+	}
+
+	@Test
+	public void basicInvalidPassword401() throws Exception {
+		this.rest
+			.filter(invalidPassword())
+			.get()
+			.uri("/admin")
+			.exchange()
+			.expectStatus().isUnauthorized();
+	}
+
+	@Test
+	public void basicInvalidParts401() throws Exception {
+		this.rest
+			.get()
+			.uri("/admin")
+			.header("Authorization", "Basic " + base64Encode("no colon"))
+			.exchange()
+			.expectStatus().isUnauthorized();
+	}
+
+	@Test
+	public void sessionWorks() throws Exception {
+		ExchangeResult result = this.rest
+				.filter(robsCredentials())
+				.get()
+				.uri("/users")
+				.exchange()
+				.returnResult(String.class);
+
+		String session = result.getResponseHeaders().getFirst("Set-Cookie");
+
+		this.rest
+			.get()
+			.uri("/users")
+			.header("Cookie", session)
+			.exchange()
+			.expectStatus().isOk();
+	}
+
+	@Test
+	public void me() throws Exception {
+		this.rest
+			.filter(robsCredentials())
+			.get()
+			.uri("/me")
+			.exchange()
+			.expectStatus().isOk()
+			.expectBody().json("{\"username\" : \"rob\"}");
+	}
+
+	@Test
+	public void monoMe() throws Exception {
+		this.rest
+			.filter(robsCredentials())
+			.get()
+			.uri("/mono/me")
+			.exchange()
+			.expectStatus().isOk()
+			.expectBody().json("{\"username\" : \"rob\"}");
+	}
+
+	@Test
+	public void principal() throws Exception {
+		this.rest
+			.filter(robsCredentials())
+			.get()
+			.uri("/principal")
+			.exchange()
+			.expectStatus().isOk()
+			.expectBody().json("{\"username\" : \"rob\"}");
+	}
+
+	@Test
+	public void headers() throws Exception {
+		this.rest
+				.filter(robsCredentials())
+				.get()
+				.uri("/principal")
+				.exchange()
+				.expectHeader().valueEquals(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, max-age=0, must-revalidate")
+				.expectHeader().valueEquals(HttpHeaders.EXPIRES, "0")
+				.expectHeader().valueEquals(HttpHeaders.PRAGMA, "no-cache")
+				.expectHeader().valueEquals(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS, ContentTypeOptionsHttpHeadersWriter.NOSNIFF);
+	}
+
+	private ExchangeFilterFunction robsCredentials() {
+		return basicAuthentication("rob","rob");
+	}
+
+	private ExchangeFilterFunction invalidPassword() {
+		return basicAuthentication("rob","INVALID");
+	}
+
+	private ExchangeFilterFunction adminCredentials() {
+		return basicAuthentication("admin","admin");
+	}
+
+	private String base64Encode(String value) {
+		return Base64.getEncoder().encodeToString(value.getBytes(Charset.defaultCharset()));
+	}
+}

samples/javaconfig/hellowebflux/src/integration-test/java/sample/UserRepositoryTests.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+@SuppressWarnings("unused")
+@RunWith(SpringRunner.class)
+@ContextConfiguration(classes = Application.class)
+@TestPropertySource(properties = "server.port=0")
+public class UserRepositoryTests {
+
+	@Autowired UserRepository repository;
+
+	String robUsername = "rob";
+
+	@Test
+	public void findByUsernameWhenUsernameMatchesThenFound() {
+		assertThat(repository.findByUsername(this.robUsername).block()).isNotNull();
+	}
+
+	@Test
+	public void findByUsernameWhenUsernameDoesNotMatchThenFound() {
+		assertThat(repository.findByUsername(this.robUsername + "NOTFOUND").block()).isNull();
+	}
+}

samples/javaconfig/hellowebflux/src/main/java/sample/Application.java

@@ -0,0 +1,111 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.AnnotationConfigApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.ComponentScan;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.ReactiveAdapterRegistry;
+import org.springframework.http.server.reactive.HttpHandler;
+import org.springframework.http.server.reactive.ReactorHttpHandlerAdapter;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.authentication.UserDetailsRepositoryAuthenticationManager;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.config.web.server.AuthorizeExchangeBuilder;
+import org.springframework.security.config.web.server.HttpSecurity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.reactive.result.method.annotation.AuthenticationPrincipalArgumentResolver;
+import org.springframework.security.web.server.authorization.AuthorizationContext;
+import org.springframework.security.web.server.context.WebSessionSecurityContextRepository;
+import org.springframework.web.reactive.DispatcherHandler;
+import org.springframework.web.reactive.config.EnableWebFlux;
+import org.springframework.web.reactive.config.WebFluxConfigurer;
+import org.springframework.web.reactive.result.method.annotation.ArgumentResolverConfigurer;
+import org.springframework.web.server.WebFilter;
+import reactor.core.publisher.Mono;
+import reactor.ipc.netty.NettyContext;
+import reactor.ipc.netty.http.server.HttpServer;
+
+import static org.springframework.security.config.web.server.HttpSecurity.http;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@Configuration
+@EnableWebFlux
+@ComponentScan
+public class Application implements WebFluxConfigurer {
+	@Value("${server.port:8080}")
+	private int port = 8080;
+
+	@Autowired
+	private ReactiveAdapterRegistry adapterRegistry = new ReactiveAdapterRegistry();
+
+	public static void main(String[] args) throws Exception {
+		try(AnnotationConfigApplicationContext context = new AnnotationConfigApplicationContext(Application.class)) {
+			context.getBean(NettyContext.class).onClose().block();
+		}
+	}
+
+	@Override
+	public void configureArgumentResolvers(ArgumentResolverConfigurer configurer) {
+		configurer.addCustomResolver(authenticationPrincipalArgumentResolver());
+	}
+
+	@Bean
+	public NettyContext nettyContext(ApplicationContext context) {
+		HttpHandler handler = DispatcherHandler.toHttpHandler(context);
+		ReactorHttpHandlerAdapter adapter = new ReactorHttpHandlerAdapter(handler);
+		HttpServer httpServer = HttpServer.create("localhost", port);
+		return httpServer.newHandler(adapter).block();
+	}
+
+	@Bean
+	public AuthenticationPrincipalArgumentResolver authenticationPrincipalArgumentResolver() {
+		return new AuthenticationPrincipalArgumentResolver(adapterRegistry);
+	}
+
+	@Bean
+	WebFilter springSecurityFilterChain(ReactiveAuthenticationManager manager) throws Exception {
+		HttpSecurity http = http();
+		http.securityContextRepository(new WebSessionSecurityContextRepository());
+		http.authenticationManager(manager);
+		http.httpBasic();
+
+		AuthorizeExchangeBuilder authorize = http.authorizeExchange();
+		authorize.antMatchers("/admin/**").hasRole("ADMIN");
+		authorize.antMatchers("/users/{user}/**").access(this::currentUserMatchesPath);
+		authorize.anyExchange().authenticated();
+		return http.build();
+	}
+
+	private Mono<AuthorizationDecision> currentUserMatchesPath(Mono<Authentication> authentication, AuthorizationContext context) {
+		return authentication
+			.map( a -> context.getVariables().get("user").equals(a.getName()))
+			.map( granted -> new AuthorizationDecision(granted));
+	}
+
+	@Bean
+	public ReactiveAuthenticationManager authenticationManager(UserRepositoryUserDetailsRepository udr) {
+		return new UserDetailsRepositoryAuthenticationManager(udr);
+	}
+}

samples/javaconfig/hellowebflux/src/main/java/sample/MapUserRepository.java

@@ -0,0 +1,58 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package sample;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.springframework.stereotype.Service;
+
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@Service
+public class MapUserRepository implements UserRepository {
+	private final Map<String,User> users = new HashMap<>();
+
+	public MapUserRepository() {
+		save(new User("rob", "rob", "Rob", "Winch")).block();
+		save(new User("admin", "admin", "Admin", "User")).block();
+	}
+
+	@Override
+	public Flux<User> findAll() {
+		return Flux.fromIterable(users.values());
+	}
+
+	@Override
+	public Mono<User> findByUsername(String username) {
+		User result = users.get(username);
+
+		return result == null ? Mono.empty() : Mono.just(result);
+	}
+
+	public Mono<User> save(User user) {
+		users.put(user.getUsername(), user);
+		return Mono.just(user);
+	}
+}

samples/javaconfig/hellowebflux/src/main/java/sample/User.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class User {
+
+	private Long id;
+	private String username;
+	private String password;
+	private String firstname;
+	private String lastname;
+
+	public User() {}
+
+	public User(User copy) {
+		this(copy.getUsername(), copy.getPassword(), copy.getFirstname(), copy.getLastname());
+	}
+
+	public User(String username, String password, String firstname, String lastname) {
+		super();
+		this.username = username;
+		this.password = password;
+		this.firstname = firstname;
+		this.lastname = lastname;
+	}
+
+	public Long getId() {
+		return id;
+	}
+
+	public void setId(Long id) {
+		this.id = id;
+	}
+
+	public String getUsername() {
+		return username;
+	}
+
+	public void setUsername(String username) {
+		this.username = username;
+	}
+
+	public String getPassword() {
+		return password;
+	}
+
+	public void setPassword(String password) {
+		this.password = password;
+	}
+
+	public String getFirstname() {
+		return firstname;
+	}
+
+	public void setFirstname(String firstname) {
+		this.firstname = firstname;
+	}
+
+	public String getLastname() {
+		return lastname;
+	}
+
+	public void setLastname(String lastname) {
+		this.lastname = lastname;
+	}
+}

samples/javaconfig/hellowebflux/src/main/java/sample/UserController.java

@@ -0,0 +1,77 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample;
+
+import java.security.Principal;
+import java.util.Collections;
+import java.util.Map;
+
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import org.springframework.web.server.WebSession;
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RestController
+public class UserController {
+	private final UserRepository users;
+
+	public UserController(UserRepository users) {
+		this.users = users;
+	}
+
+	@GetMapping("/me")
+	public Mono<Map<String,String>> me(@AuthenticationPrincipal User user) {
+		return me(Mono.just(user));
+	}
+
+	@GetMapping("/mono/me")
+	public Mono<Map<String,String>> me(@AuthenticationPrincipal Mono<User> user) {
+		return user.flatMap( u -> Mono.just(Collections.singletonMap("username", u.getUsername())));
+	}
+
+	@GetMapping("/mono/session")
+	public Mono<Map<String,Object>> Session(Mono<WebSession> session) {
+		return session.flatMap( s -> Mono.just(s.getAttributes()));
+	}
+
+	@GetMapping("/users")
+	public Flux<User> users() {
+		return this.users.findAll();
+	}
+
+	@GetMapping("/principal")
+	public Mono<Map<String,String>> principal(Principal principal) {
+		return principal(Mono.just(principal));
+	}
+
+	@GetMapping("/mono/principal")
+	public Mono<Map<String,String>> principal(Mono<Principal> principal) {
+		return principal.flatMap( p -> Mono.just(Collections.singletonMap("username", p.getName())));
+	}
+
+	@GetMapping("/admin")
+	public Map<String,String> admin() {
+		return Collections.singletonMap("isadmin", "true");
+	}
+}

samples/javaconfig/hellowebflux/src/main/java/sample/UserRepository.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample;
+
+import reactor.core.publisher.Flux;
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public interface UserRepository {
+
+	Flux<User> findAll();
+
+	Mono<User> findByUsername(String username);
+
+	Mono<User> save(User user);
+}

samples/javaconfig/hellowebflux/src/main/java/sample/UserRepositoryUserDetailsRepository.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.springframework.security.authentication.UserDetailsRepository;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.stereotype.Component;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@Component
+public class UserRepositoryUserDetailsRepository implements UserDetailsRepository {
+	private final UserRepository users;
+
+	public UserRepositoryUserDetailsRepository(UserRepository users) {
+		super();
+		this.users = users;
+	}
+
+	@Override
+	public Mono<UserDetails> findByUsername(String username) {
+		return this.users
+				.findByUsername(username)
+				.map(UserDetailsAdapter::new);
+	}
+
+	@SuppressWarnings("serial")
+	private static class UserDetailsAdapter extends User implements UserDetails {
+		private static List<GrantedAuthority> USER_ROLES = AuthorityUtils.createAuthorityList("ROLE_USER");
+		private static List<GrantedAuthority> ADMIN_ROLES = AuthorityUtils.createAuthorityList("ROLE_ADMIN", "ROLE_USER");
+
+		private UserDetailsAdapter(User delegate) {
+			super(delegate);
+		}
+
+		@Override
+		public Collection<? extends GrantedAuthority> getAuthorities() {
+			return isAdmin() ? ADMIN_ROLES : USER_ROLES ;
+		}
+
+		private boolean isAdmin() {
+			return getUsername().contains("admin");
+		}
+
+		@Override
+		public boolean isAccountNonExpired() {
+			return true;
+		}
+
+		@Override
+		public boolean isAccountNonLocked() {
+			return true;
+		}
+
+		@Override
+		public boolean isCredentialsNonExpired() {
+			return true;
+		}
+
+		@Override
+		public boolean isEnabled() {
+			return true;
+		}
+	}
+}

samples/javaconfig/messages/spring-security-samples-javaconfig-messages.gradle

@@ -25,5 +25,5 @@ dependencies {
 	compile 'org.springframework:spring-webmvc'
 	compile 'org.thymeleaf:thymeleaf-spring5'
 
-	provided 'javax.servlet:javax.servlet-api'
+	providedCompile 'javax.servlet:javax.servlet-api'
 }

webflux/spring-security-webflux.gradle

@@ -0,0 +1,13 @@
+apply plugin: 'io.spring.convention.spring-module'
+
+dependencies {
+	compile project(':spring-security-core')
+	compile project(':spring-security-web')
+	compile 'org.springframework:spring-webflux'
+
+	testCompile 'io.projectreactor.addons:reactor-test'
+	testCompile 'org.springframework:spring-test'
+
+	integrationTestCompile 'com.squareup.okhttp3:mockwebserver'
+	integrationTestCompile 'io.projectreactor.ipc:reactor-netty'
+}

webflux/src/integration-test/java/webclient/oauth2/poc/WebClientOAuth2PocTests.java

@@ -0,0 +1,103 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *	  http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package webclient.oauth2.poc;
+
+import okhttp3.mockwebserver.MockResponse;
+import okhttp3.mockwebserver.MockWebServer;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.reactive.function.client.ClientRequest;
+import org.springframework.web.reactive.function.client.ClientResponse;
+import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
+import org.springframework.web.reactive.function.client.WebClient;
+import reactor.core.publisher.Mono;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class WebClientOAuth2PocTests {
+
+	private MockWebServer server;
+
+	private WebClient webClient;
+
+
+	@Before
+	public void setup() {
+		this.server = new MockWebServer();
+		String baseUrl = this.server.url("/").toString();
+		this.webClient = WebClient.create(baseUrl);
+	}
+
+	@After
+	public void shutdown() throws Exception {
+		this.server.shutdown();
+	}
+
+	@Test
+	public void httpBasicWhenNeeded() throws Exception {
+		this.server.enqueue(new MockResponse().setResponseCode(401).setHeader("WWW-Authenticate", "Basic realm=\"Test\""));
+		this.server.enqueue(new MockResponse().setResponseCode(200).setBody("OK"));
+
+		ClientResponse response = this.webClient
+			.filter(basicIfNeeded("rob", "rob"))
+			.get()
+			.uri("/")
+			.exchange()
+			.block();
+
+		assertThat(response.statusCode()).isEqualTo(HttpStatus.OK);
+
+		assertThat(this.server.takeRequest().getHeader("Authorization")).isNull();
+		assertThat(this.server.takeRequest().getHeader("Authorization")).isEqualTo("Basic cm9iOnJvYg==");
+	}
+
+
+	@Test
+	public void httpBasicWhenNotNeeded() throws Exception {
+		this.server.enqueue(new MockResponse().setResponseCode(200).setBody("OK"));
+
+		ClientResponse response = this.webClient
+			.filter(basicIfNeeded("rob", "rob"))
+			.get()
+			.uri("/")
+			.exchange()
+			.block();
+
+		assertThat(response.statusCode()).isEqualTo(HttpStatus.OK);
+
+		assertThat(this.server.getRequestCount()).isEqualTo(1);
+		assertThat(this.server.takeRequest().getHeader("Authorization")).isNull();
+	}
+
+	private ExchangeFilterFunction basicIfNeeded(String username, String password) {
+		return (request, next) ->
+			next.exchange(request)
+				.filter( r -> !HttpStatus.UNAUTHORIZED.equals(r.statusCode()))
+				.switchIfEmpty( Mono.defer(() -> {
+					return basicAuthentication(username, password).filter(request, next);
+				}));
+	}
+}

webflux/src/main/java/org/springframework/security/web/reactive/result/method/annotation/AuthenticationPrincipalArgumentResolver.java

@@ -0,0 +1,115 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.reactive.result.method.annotation;
+
+import org.springframework.core.MethodParameter;
+import org.springframework.core.ReactiveAdapter;
+import org.springframework.core.ReactiveAdapterRegistry;
+import org.springframework.core.annotation.AnnotationUtils;
+import org.springframework.expression.BeanResolver;
+import org.springframework.expression.Expression;
+import org.springframework.expression.ExpressionParser;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.expression.spel.support.StandardEvaluationContext;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.util.StringUtils;
+import org.springframework.web.reactive.BindingContext;
+import org.springframework.web.reactive.result.method.HandlerMethodArgumentResolverSupport;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+import java.lang.annotation.Annotation;
+
+/**
+ * Resolves the Authentication
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class AuthenticationPrincipalArgumentResolver extends HandlerMethodArgumentResolverSupport {
+
+	private ExpressionParser parser = new SpelExpressionParser();
+
+	private BeanResolver beanResolver;
+
+	public AuthenticationPrincipalArgumentResolver(ReactiveAdapterRegistry adapterRegistry) {
+		super(adapterRegistry);
+	}
+
+	@Override
+	public boolean supportsParameter(MethodParameter parameter) {
+		return findMethodAnnotation(AuthenticationPrincipal.class, parameter) != null;
+	}
+
+	@Override
+	public Mono<Object> resolveArgument(MethodParameter parameter, BindingContext bindingContext,
+			ServerWebExchange exchange) {
+		ReactiveAdapter adapter = getAdapterRegistry().getAdapter(parameter.getParameterType());
+		return exchange.getPrincipal()
+			.ofType(Authentication.class)
+			.flatMap( a -> {
+				Object p = resolvePrincipal(parameter, a.getPrincipal());
+				Mono<Object> principal = Mono.justOrEmpty(p);
+				return adapter == null ? principal : Mono.just(adapter.fromPublisher(principal));
+			});
+	}
+
+	private Object resolvePrincipal(MethodParameter parameter, Object principal) {
+		AuthenticationPrincipal authPrincipal = findMethodAnnotation(
+			AuthenticationPrincipal.class, parameter);
+
+		String expressionToParse = authPrincipal.expression();
+		if (StringUtils.hasLength(expressionToParse)) {
+			StandardEvaluationContext context = new StandardEvaluationContext();
+			context.setRootObject(principal);
+			context.setVariable("this", principal);
+			context.setBeanResolver(beanResolver);
+
+			Expression expression = this.parser.parseExpression(expressionToParse);
+			principal = expression.getValue(context);
+		}
+
+		return principal;
+	}
+
+	/**
+	 * Obtains the specified {@link Annotation} on the specified {@link MethodParameter}.
+	 *
+	 * @param annotationClass the class of the {@link Annotation} to find on the
+	 * {@link MethodParameter}
+	 * @param parameter the {@link MethodParameter} to search for an {@link Annotation}
+	 * @return the {@link Annotation} that was found or null.
+	 */
+	private <T extends Annotation> T findMethodAnnotation(Class<T> annotationClass,
+														  MethodParameter parameter) {
+		T annotation = parameter.getParameterAnnotation(annotationClass);
+		if (annotation != null) {
+			return annotation;
+		}
+		Annotation[] annotationsToSearch = parameter.getParameterAnnotations();
+		for (Annotation toSearch : annotationsToSearch) {
+			annotation = AnnotationUtils.findAnnotation(toSearch.annotationType(),
+				annotationClass);
+			if (annotation != null) {
+				return annotation;
+			}
+		}
+		return null;
+	}
+
+}

webflux/src/main/java/org/springframework/security/web/server/AuthenticationEntryPoint.java

@@ -0,0 +1,34 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server;
+
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.web.server.ServerWebExchange;
+
+
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public interface AuthenticationEntryPoint {
+
+	<T> Mono<T> commence(ServerWebExchange exchange, AuthenticationException e);
+}

webflux/src/main/java/org/springframework/security/web/server/HttpBasicAuthenticationConverter.java

@@ -0,0 +1,73 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server;
+
+import java.util.Base64;
+import java.util.function.Function;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class HttpBasicAuthenticationConverter implements Function<ServerWebExchange,Mono<Authentication>> {
+
+	public static final String BASIC = "Basic ";
+
+	@Override
+	public Mono<Authentication> apply(ServerWebExchange serverWebExchange) {
+		ServerHttpRequest request = serverWebExchange.getRequest();
+
+		String authorization = request.getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
+		if(authorization == null) {
+			return Mono.empty();
+		}
+
+		String credentials = authorization.length() <= BASIC.length() ?
+			"" : authorization.substring(BASIC.length(), authorization.length());
+		byte[] decodedCredentials = base64Decode(credentials);
+		String decodedAuthz = new String(decodedCredentials);
+		String[] userParts = decodedAuthz.split(":");
+
+		if(userParts.length != 2) {
+			return Mono.empty();
+		}
+
+		String username = userParts[0];
+		String password = userParts[1];
+
+		return Mono.just(new UsernamePasswordAuthenticationToken(username, password));
+	}
+
+	private byte[] base64Decode(String value) {
+		try {
+			return Base64.getDecoder().decode(value);
+		} catch(Exception e) {
+			return new byte[0];
+		}
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/WebFilterChainFilter.java

@@ -0,0 +1,68 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server;
+
+import java.util.Iterator;
+import java.util.List;
+
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebFilterChain;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class WebFilterChainFilter implements WebFilter {
+	private final List<WebFilter> filters;
+
+	public WebFilterChainFilter(List<WebFilter> filters) {
+		super();
+		this.filters = filters;
+	}
+
+	@Override
+	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
+		SecurityWebFilterChain delegate = new SecurityWebFilterChain(chain, filters.iterator());
+		return delegate.filter(exchange);
+	}
+
+	static class SecurityWebFilterChain implements WebFilterChain {
+		private final WebFilterChain delegate;
+		private final Iterator<WebFilter> filters;
+
+		public SecurityWebFilterChain(WebFilterChain delegate, Iterator<WebFilter> filters) {
+			super();
+			this.delegate = delegate;
+			this.filters = filters;
+		}
+
+		@Override
+		public Mono<Void> filter(ServerWebExchange exchange) {
+			if (filters.hasNext()) {
+				WebFilter filter = filters.next();
+				return filter.filter(exchange, this);
+			} else {
+				return delegate.filter(exchange);
+			}
+		}
+
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/authentication/AuthenticationSuccessHandler.java

@@ -0,0 +1,32 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilterChain;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public interface AuthenticationSuccessHandler {
+	Mono<Void> success(Authentication authentication, ServerWebExchange exchange, WebFilterChain chain);
+}

webflux/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java

@@ -0,0 +1,75 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.authentication;
+
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.server.AuthenticationEntryPoint;
+import org.springframework.security.web.server.HttpBasicAuthenticationConverter;
+import org.springframework.security.web.server.authentication.www.HttpBasicAuthenticationEntryPoint;
+import org.springframework.util.Assert;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebFilterChain;
+import reactor.core.publisher.Mono;
+
+import java.util.function.Function;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class AuthenticationWebFilter implements WebFilter {
+
+	private final ReactiveAuthenticationManager authenticationManager;
+
+	private AuthenticationSuccessHandler authenticationSuccessHandler = new DefaultAuthenticationSuccessHandler();
+
+	private Function<ServerWebExchange,Mono<Authentication>> authenticationConverter = new HttpBasicAuthenticationConverter();
+
+	private AuthenticationEntryPoint entryPoint = new HttpBasicAuthenticationEntryPoint();
+
+	public AuthenticationWebFilter(ReactiveAuthenticationManager authenticationManager) {
+		Assert.notNull(authenticationManager, "authenticationManager cannot be null");
+		this.authenticationManager = authenticationManager;
+	}
+
+	@Override
+	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
+		return authenticationConverter.apply(exchange)
+			.switchIfEmpty(Mono.defer(() -> chain.filter(exchange).cast(Authentication.class)))
+			.flatMap( token -> authenticationManager.authenticate(token)
+				.flatMap(authentication -> authenticationSuccessHandler.success(authentication, exchange, chain))
+				.onErrorResume( AuthenticationException.class, t -> entryPoint.commence(exchange, t))
+			);
+	}
+
+	public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
+		this.authenticationSuccessHandler = authenticationSuccessHandler;
+	}
+
+	public void setAuthenticationConverter(Function<ServerWebExchange,Mono<Authentication>> authenticationConverter) {
+		this.authenticationConverter = authenticationConverter;
+	}
+
+	public void setEntryPoint(AuthenticationEntryPoint entryPoint) {
+		this.entryPoint = entryPoint;
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/authentication/DefaultAuthenticationSuccessHandler.java

@@ -0,0 +1,56 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextImpl;
+import org.springframework.security.web.server.context.SecurityContextRepository;
+import org.springframework.security.web.server.context.ServerWebExchangeAttributeSecurityContextRepository;
+import org.springframework.util.Assert;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilterChain;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class DefaultAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
+	private SecurityContextRepository securityContextRepository = new ServerWebExchangeAttributeSecurityContextRepository();
+
+	private AuthenticationSuccessHandler delegate = new WebFilterChainAuthenticationSuccessHandler();
+
+	@Override
+	public Mono<Void> success(Authentication authentication, ServerWebExchange exchange, WebFilterChain chain) {
+		SecurityContextImpl securityContext = new SecurityContextImpl();
+		securityContext.setAuthentication(authentication);
+		return securityContextRepository.save(exchange, securityContext)
+			.flatMap( wrappedExchange -> delegate.success(authentication, wrappedExchange, chain));
+	}
+
+	public void setDelegate(AuthenticationSuccessHandler delegate) {
+		Assert.notNull(delegate, "delegate cannot be null");
+		this.delegate = delegate;
+	}
+
+	public void setSecurityContextRepository(SecurityContextRepository securityContextRepository) {
+		Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
+		this.securityContextRepository = securityContextRepository;
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/authentication/WebFilterChainAuthenticationSuccessHandler.java

@@ -0,0 +1,35 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilterChain;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class WebFilterChainAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
+	@Override
+	public Mono<Void> success(Authentication authentication, ServerWebExchange exchange, WebFilterChain chain) {
+		return chain.filter(exchange);
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/authentication/www/HttpBasicAuthenticationEntryPoint.java

@@ -0,0 +1,42 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.authentication.www;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.http.server.reactive.ServerHttpResponse;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.server.AuthenticationEntryPoint;
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class HttpBasicAuthenticationEntryPoint implements AuthenticationEntryPoint {
+
+	@Override
+	public <T> Mono<T> commence(ServerWebExchange exchange, AuthenticationException e) {
+		ServerHttpResponse response = exchange.getResponse();
+		response.setStatusCode(HttpStatus.UNAUTHORIZED);
+		response.getHeaders().set("WWW-Authenticate", "Basic realm=\"Realm\"");
+		return Mono.empty();
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/authorization/AccessDeniedHandler.java

@@ -0,0 +1,33 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.authorization;
+
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public interface AccessDeniedHandler {
+
+	<T> Mono<T> handle(ServerWebExchange exchange, AccessDeniedException denied);
+}

webflux/src/main/java/org/springframework/security/web/server/authorization/AuthorizationContext.java

@@ -0,0 +1,50 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.authorization;
+
+import org.springframework.web.server.ServerWebExchange;
+
+import java.util.Collections;
+import java.util.Map;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class AuthorizationContext {
+	private final ServerWebExchange exchange;
+	private final Map<String,Object> variables;
+
+	public AuthorizationContext(ServerWebExchange exchange) {
+		this(exchange, Collections.emptyMap());
+	}
+
+	public AuthorizationContext(ServerWebExchange exchange, Map<String,Object> variables) {
+		this.exchange = exchange;
+		this.variables = variables;
+	}
+
+	public ServerWebExchange getExchange() {
+		return exchange;
+	}
+
+	public Map<String,Object> getVariables() {
+		return Collections.unmodifiableMap(variables);
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/authorization/AuthorizationWebFilter.java

@@ -0,0 +1,48 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.authorization;
+
+
+import org.springframework.security.authorization.ReactiveAuthorizationManager;
+import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.web.server.AuthenticationEntryPoint;
+import org.springframework.security.web.server.authentication.www.HttpBasicAuthenticationEntryPoint;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebFilterChain;
+
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class AuthorizationWebFilter implements WebFilter {
+	private ReactiveAuthorizationManager<? super ServerWebExchange> accessDecisionManager;
+
+	public AuthorizationWebFilter(ReactiveAuthorizationManager<? super ServerWebExchange> accessDecisionManager) {
+		this.accessDecisionManager = accessDecisionManager;
+	}
+
+	@Override
+	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
+		return accessDecisionManager.verify(exchange.getPrincipal(), exchange)
+			.switchIfEmpty( Mono.defer(() -> chain.filter(exchange)) );
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/authorization/DelegatingReactiveAuthorizationManager.java

@@ -0,0 +1,75 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.authorization;
+
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.ReactiveAuthorizationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class DelegatingReactiveAuthorizationManager implements ReactiveAuthorizationManager<ServerWebExchange> {
+	private final LinkedHashMap<ServerWebExchangeMatcher, ReactiveAuthorizationManager<AuthorizationContext>> mappings;
+
+	private DelegatingReactiveAuthorizationManager(LinkedHashMap<ServerWebExchangeMatcher, ReactiveAuthorizationManager<AuthorizationContext>> mappings) {
+		this.mappings = mappings;
+	}
+
+	@Override
+	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, ServerWebExchange exchange) {
+		for(Map.Entry<ServerWebExchangeMatcher, ReactiveAuthorizationManager<AuthorizationContext>> entry : mappings.entrySet()) {
+			ServerWebExchangeMatcher matcher = entry.getKey();
+			ServerWebExchangeMatcher.MatchResult match = matcher.matches(exchange);
+			if(match.isMatch()) {
+				Map<String,Object> variables = match.getVariables();
+				AuthorizationContext context = new AuthorizationContext(exchange, variables);
+				return entry.getValue().check(authentication, context);
+			}
+		}
+		return Mono.just(new AuthorizationDecision(false));
+	}
+
+	public static DelegatingReactiveAuthorizationManager.Builder builder() {
+		return new DelegatingReactiveAuthorizationManager.Builder();
+	}
+
+	public static class Builder {
+		private final LinkedHashMap<ServerWebExchangeMatcher, ReactiveAuthorizationManager<AuthorizationContext>> mappings = new LinkedHashMap<>();
+
+		private Builder() {
+		}
+
+		public DelegatingReactiveAuthorizationManager.Builder add(ServerWebExchangeMatcher matcher, ReactiveAuthorizationManager<AuthorizationContext> manager) {
+			this.mappings.put(matcher, manager);
+			return this;
+		}
+
+		public DelegatingReactiveAuthorizationManager build() {
+			return new DelegatingReactiveAuthorizationManager(mappings);
+		}
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/authorization/ExceptionTranslationWebFilter.java

@@ -0,0 +1,51 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.authorization;
+
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
+import org.springframework.security.web.server.AuthenticationEntryPoint;
+import org.springframework.security.web.server.authentication.www.HttpBasicAuthenticationEntryPoint;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebFilterChain;
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class ExceptionTranslationWebFilter implements WebFilter {
+	private AuthenticationEntryPoint entryPoint = new HttpBasicAuthenticationEntryPoint();
+
+	private AccessDeniedHandler accessDeniedHandler = new HttpStatusAccessDeniedHandler(HttpStatus.FORBIDDEN);
+
+	@Override
+	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
+		return chain.filter(exchange)
+			.onErrorResume(AccessDeniedException.class, denied -> {
+				return exchange.getPrincipal()
+					.switchIfEmpty( Mono.defer( () -> entryPoint.commence(exchange, new AuthenticationCredentialsNotFoundException("Not Authenticated", denied))))
+					.flatMap( principal -> accessDeniedHandler.handle(exchange, denied));
+			});
+	}
+
+}

webflux/src/main/java/org/springframework/security/web/server/authorization/HttpStatusAccessDeniedHandler.java

@@ -0,0 +1,43 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.authorization;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class HttpStatusAccessDeniedHandler implements AccessDeniedHandler {
+	private final HttpStatus httpStatus;
+
+	public HttpStatusAccessDeniedHandler(HttpStatus httpStatus) {
+		this.httpStatus = httpStatus;
+	}
+
+	@Override
+	public <T> Mono<T> handle(ServerWebExchange exchange, AccessDeniedException e) {
+		exchange.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
+		return Mono.empty();
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/context/SecurityContextRepository.java

@@ -0,0 +1,30 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.context;
+
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+public interface SecurityContextRepository {
+
+	Mono<ServerWebExchange> save(ServerWebExchange exchange, SecurityContext context);
+
+	Mono<SecurityContext> load(ServerWebExchange exchange);
+}

webflux/src/main/java/org/springframework/security/web/server/context/SecurityContextRepositoryServerWebExchange.java

@@ -0,0 +1,48 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.context;
+
+import java.security.Principal;
+
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.ServerWebExchangeDecorator;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+final class SecurityContextRepositoryServerWebExchange extends ServerWebExchangeDecorator {
+	private final SecurityContextRepository repository;
+
+	public SecurityContextRepositoryServerWebExchange(ServerWebExchange delegate, SecurityContextRepository repository) {
+		super(delegate);
+		this.repository = repository;
+	}
+
+	@Override
+	@SuppressWarnings("unchecked")
+	public <T extends Principal> Mono<T> getPrincipal() {
+		return Mono.defer(() ->
+			this.repository.load(this)
+				.filter(c -> c.getAuthentication() != null)
+				.flatMap(c -> Mono.just((T) c.getAuthentication()))
+		);
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/context/SecurityContextRepositoryWebFilter.java

@@ -0,0 +1,46 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.context;
+
+import org.springframework.security.web.server.context.SecurityContextRepository;
+import org.springframework.security.web.server.context.SecurityContextRepositoryServerWebExchange;
+import org.springframework.util.Assert;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebFilterChain;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class SecurityContextRepositoryWebFilter implements WebFilter {
+	private final SecurityContextRepository repository;
+
+	public SecurityContextRepositoryWebFilter(SecurityContextRepository repository) {
+		Assert.notNull(repository, "repository cannot be null");
+		this.repository = repository;
+	}
+
+	@Override
+	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
+		SecurityContextRepositoryServerWebExchange delegate =
+				new SecurityContextRepositoryServerWebExchange(exchange, repository);
+		return chain.filter(delegate);
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/context/ServerWebExchangeAttributeSecurityContextRepository.java

@@ -0,0 +1,41 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.context;
+
+
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class ServerWebExchangeAttributeSecurityContextRepository implements SecurityContextRepository {
+	final String ATTR = "USER";
+
+	public Mono<ServerWebExchange> save(ServerWebExchange exchange, SecurityContext context) {
+		exchange.getAttributes().put(ATTR, context);
+		return Mono.just(new SecurityContextRepositoryServerWebExchange(exchange, this));
+	}
+
+	public Mono<SecurityContext> load(ServerWebExchange exchange) {
+		return Mono.justOrEmpty(exchange.getAttribute(ATTR));
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/context/WebSessionSecurityContextRepository.java

@@ -0,0 +1,45 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.context;
+
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class WebSessionSecurityContextRepository implements SecurityContextRepository {
+	final String SESSION_ATTR = "USER";
+
+	public Mono<ServerWebExchange> save(ServerWebExchange exchange, SecurityContext context) {
+		return exchange.getSession()
+			.doOnNext(session -> session.getAttributes().put(SESSION_ATTR, context))
+			.flatMap( session -> Mono.just(new SecurityContextRepositoryServerWebExchange(exchange, this)));
+	}
+
+	public Mono<SecurityContext> load(ServerWebExchange exchange) {
+		return exchange.getSession().flatMap( session -> {
+			SecurityContext context = (SecurityContext) session.getAttributes().get(SESSION_ATTR);
+			return context == null ? Mono.empty() : Mono.just(context);
+		});
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/header/CacheControlHttpHeadersWriter.java

@@ -0,0 +1,61 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class CacheControlHttpHeadersWriter implements HttpHeadersWriter {
+
+	/**
+	 * The value for expires value
+	 */
+	public static final String EXPIRES_VALUE = "0";
+
+	/**
+	 * The value for pragma value
+	 */
+	public static final String PRAGMA_VALUE = "no-cache";
+
+	/**
+	 * The value for cache control value
+	 */
+	public static final String CACHE_CONTRTOL_VALUE = "no-cache, no-store, max-age=0, must-revalidate";
+
+	/**
+	 * The delegate to write all the cache control related headers
+	 */
+	private static final HttpHeadersWriter CACHE_HEADERS = StaticHttpHeadersWriter.builder()
+			.header(HttpHeaders.CACHE_CONTROL, CacheControlHttpHeadersWriter.CACHE_CONTRTOL_VALUE)
+			.header(HttpHeaders.PRAGMA,  CacheControlHttpHeadersWriter.PRAGMA_VALUE)
+			.header(HttpHeaders.EXPIRES,  CacheControlHttpHeadersWriter.EXPIRES_VALUE)
+			.build();
+
+	@Override
+	public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
+		return CACHE_HEADERS.writeHttpHeaders(exchange);
+	}
+
+}

webflux/src/main/java/org/springframework/security/web/server/header/CompositeHttpHeadersWriter.java

@@ -0,0 +1,51 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package  org.springframework.security.web.server.header;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class CompositeHttpHeadersWriter implements HttpHeadersWriter {
+	private final List<HttpHeadersWriter> writers;
+
+	public CompositeHttpHeadersWriter(HttpHeadersWriter... writers) {
+		this(Arrays.asList(writers));
+	}
+
+	public CompositeHttpHeadersWriter(List<HttpHeadersWriter> writers) {
+		this.writers = writers;
+	}
+
+	@Override
+	public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
+		Stream<Mono<Void>> results = writers.stream().map( writer -> writer.writeHttpHeaders(exchange));
+		return Mono.when(results.collect(Collectors.toList()));
+	}
+
+}

webflux/src/main/java/org/springframework/security/web/server/header/ContentTypeOptionsHttpHeadersWriter.java

@@ -0,0 +1,48 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+/**
+ * Adds X-Content-Type-Options: nosniff
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class ContentTypeOptionsHttpHeadersWriter implements HttpHeadersWriter {
+
+	public static final String X_CONTENT_OPTIONS = "X-Content-Type-Options";
+
+	public static final String NOSNIFF = "nosniff";
+
+
+	/**
+	 * The delegate to write all the cache control related headers
+	 */
+	private static final HttpHeadersWriter CONTENT_TYPE_HEADERS = StaticHttpHeadersWriter.builder()
+			.header(X_CONTENT_OPTIONS, NOSNIFF)
+			.build();
+
+	@Override
+	public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
+		return CONTENT_TYPE_HEADERS.writeHttpHeaders(exchange);
+	}
+
+}

webflux/src/main/java/org/springframework/security/web/server/header/HttpHeaderWriterWebFilter.java

@@ -0,0 +1,48 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import org.springframework.http.server.reactive.ServerHttpResponse;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebFilterChain;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * Invokes a {@link HttpHeadersWriter} on
+ * {@link ServerHttpResponse#beforeCommit(java.util.function.Supplier)}.
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class HttpHeaderWriterWebFilter implements WebFilter {
+	private final HttpHeadersWriter writer;
+
+	public HttpHeaderWriterWebFilter(HttpHeadersWriter writer) {
+		super();
+		this.writer = writer;
+	}
+
+	@Override
+	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
+		exchange.getResponse().beforeCommit(() -> writer.writeHttpHeaders(exchange));
+		return chain.filter(exchange);
+	}
+
+}

webflux/src/main/java/org/springframework/security/web/server/header/HttpHeadersWriter.java

@@ -0,0 +1,43 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import java.util.function.Supplier;
+
+import org.springframework.http.server.reactive.ServerHttpResponse;
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * Interface for writing headers just before the response is committed.
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public interface HttpHeadersWriter {
+
+	/**
+	 * Write the headers to the response.
+	 *
+	 * @param exchange
+	 * @return A Mono which is returned to the {@link Supplier} of the
+	 *         {@link ServerHttpResponse#beforeCommit(Supplier)}.
+	 */
+	Mono<Void> writeHttpHeaders(ServerWebExchange exchange);
+}

webflux/src/main/java/org/springframework/security/web/server/header/StaticHttpHeadersWriter.java

@@ -0,0 +1,70 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import java.util.Arrays;
+import java.util.Collections;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class StaticHttpHeadersWriter implements HttpHeadersWriter {
+	private final HttpHeaders headersToAdd;
+
+	public StaticHttpHeadersWriter(HttpHeaders headersToAdd) {
+		this.headersToAdd = headersToAdd;
+	}
+
+	/* (non-Javadoc)
+	 * @see org.springframework.security.web.server.HttpHeadersWriter#writeHttpHeaders(org.springframework.web.server.ServerWebExchange)
+	 */
+	@Override
+	public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
+		HttpHeaders headers = exchange.getResponse().getHeaders();
+		boolean containsOneHeaderToAdd = Collections.disjoint(headers.keySet(), this.headersToAdd.keySet());
+		if(containsOneHeaderToAdd) {
+			this.headersToAdd.forEach((name, values) -> {
+				headers.put(name, values);
+			});
+		}
+		return Mono.empty();
+	}
+
+	public static Builder builder() {
+		return new Builder();
+	}
+
+	public static class Builder {
+		private HttpHeaders headers = new HttpHeaders();
+
+		public Builder header(String headerName, String...values) {
+			headers.put(headerName, Arrays.asList(values));
+			return this;
+		}
+
+		public StaticHttpHeadersWriter build() {
+			return new StaticHttpHeadersWriter(headers);
+		}
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/header/StrictTransportSecurityHttpHeadersWriter.java

@@ -0,0 +1,77 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import java.time.Duration;
+
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public final class StrictTransportSecurityHttpHeadersWriter implements HttpHeadersWriter {
+	public static final String STRICT_TRANSPORT_SECURITY = "Strict-Transport-Security";
+
+	private String maxAge;
+
+	private String subdomain;
+
+	private HttpHeadersWriter delegate;
+
+	/**
+	 *
+	 */
+	public StrictTransportSecurityHttpHeadersWriter() {
+		setIncludeSubDomains(true);
+		setMaxAge(Duration.ofDays(365L));
+		updateDelegate();
+	}
+
+	/* (non-Javadoc)
+	 * @see org.springframework.security.web.server.HttpHeadersWriter#writeHttpHeaders(org.springframework.http.HttpHeaders)
+	 */
+	@Override
+	public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
+		return isSecure(exchange) ? delegate.writeHttpHeaders(exchange) : Mono.empty();
+	}
+
+	public void setIncludeSubDomains(boolean includeSubDomains) {
+		subdomain = includeSubDomains ? " ; includeSubDomains" : "";
+		updateDelegate();
+	}
+
+	public void setMaxAge(Duration maxAge) {
+		this.maxAge = "max-age=" + maxAge.getSeconds();
+		updateDelegate();
+	}
+
+	private void updateDelegate() {
+		delegate = StaticHttpHeadersWriter.builder()
+				.header(STRICT_TRANSPORT_SECURITY, maxAge + subdomain)
+				.build();
+	}
+
+	private boolean isSecure(ServerWebExchange exchange) {
+		String scheme = exchange.getRequest().getURI().getScheme();
+		boolean isSecure = scheme != null && scheme.equalsIgnoreCase("https");
+		return isSecure;
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/header/XContentTypeOptionsHttpHeadersWriter.java

@@ -0,0 +1,49 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * Adds X-Content-Type-Options: nosniff
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class XContentTypeOptionsHttpHeadersWriter implements HttpHeadersWriter {
+
+	public static final String X_CONTENT_OPTIONS = "X-Content-Options";
+
+	public static final String NOSNIFF = "nosniff";
+
+
+	/**
+	 * The delegate to write all the cache control related headers
+	 */
+	private static final HttpHeadersWriter CONTENT_TYPE_HEADERS = StaticHttpHeadersWriter.builder()
+			.header(X_CONTENT_OPTIONS, NOSNIFF)
+			.build();
+
+	@Override
+	public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
+		return CONTENT_TYPE_HEADERS.writeHttpHeaders(exchange);
+	}
+
+}

webflux/src/main/java/org/springframework/security/web/server/header/XFrameOptionsHttpHeadersWriter.java

@@ -0,0 +1,93 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class XFrameOptionsHttpHeadersWriter implements HttpHeadersWriter {
+	public static final String X_FRAME_OPTIONS = "X-Frame-Options";
+
+	private HttpHeadersWriter delegate = createDelegate(Mode.DENY);
+
+	/*
+	 * (non-Javadoc)
+	 *
+	 * @see org.springframework.security.web.server.HttpHeadersWriter#
+	 * writeHttpHeaders(org.springframework.web.server.ServerWebExchange)
+	 */
+	@Override
+	public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
+		return delegate.writeHttpHeaders(exchange);
+	}
+
+	/**
+	 * Sets the X-Frame-Options mode. There is no support for ALLOW-FROM because
+	 * not <a href=
+	 * "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">all
+	 * browsers support it</a>. Consider using X-Frame-Options with
+	 * Content-Security-Policy <a href=
+	 * "https://w3c.github.io/webappsec/specs/content-security-policy/#directive-frame-ancestors">frame-ancestors</a>.
+	 *
+	 * @param mode
+	 */
+	public void setMode(Mode mode) {
+		this.delegate = createDelegate(mode);
+	}
+
+	/**
+	 * The X-Frame-Options values. There is no support for ALLOW-FROM because
+	 * not <a href=
+	 * "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">all
+	 * browsers support it</a>. Consider using X-Frame-Options with
+	 * Content-Security-Policy <a href=
+	 * "https://w3c.github.io/webappsec/specs/content-security-policy/#directive-frame-ancestors">frame-ancestors</a>.
+	 *
+	 * @author Rob Winch
+	 * @since 5.0
+	 */
+	public enum Mode {
+		/**
+		 * A browser receiving content with this header field MUST NOT display
+		 * this content in any frame.
+		 */
+		DENY,
+		/**
+		 * A browser receiving content with this header field MUST NOT display
+		 * this content in any frame from a page of different origin than the
+		 * content itself.
+		 *
+		 * If a browser or plugin cannot reliably determine whether or not the
+		 * origin of the content and the frame are the same, this MUST be
+		 * treated as "DENY".
+		 */
+		SAMEORIGIN;
+	}
+
+	private static HttpHeadersWriter createDelegate(Mode mode) {
+		// @formatter:off
+		return StaticHttpHeadersWriter.builder().header(X_FRAME_OPTIONS, mode.name()).build();
+		// @formatter:on
+
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/header/XXssProtectionHttpHeadersWriter.java

@@ -0,0 +1,116 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class XXssProtectionHttpHeadersWriter implements HttpHeadersWriter {
+	public static final String X_XSS_PROTECTION = "X-XSS-Protection";
+
+	private boolean enabled;
+
+	private boolean block;
+
+	private HttpHeadersWriter delegate;
+
+	/**
+	 *
+	 */
+	public XXssProtectionHttpHeadersWriter() {
+		this.enabled = true;
+		this.block = true;
+		updateDelegate();
+	}
+
+	/* (non-Javadoc)
+	 * @see org.springframework.security.web.server.HttpHeadersWriter#writeHttpHeaders(org.springframework.web.server.ServerWebExchange)
+	 */
+	@Override
+	public Mono<Void> writeHttpHeaders(ServerWebExchange exchange) {
+		return delegate.writeHttpHeaders(exchange);
+	}
+
+	/**
+	 * If true, will contain a value of 1. For example:
+	 *
+	 * <pre>
+	 * X-XSS-Protection: 1
+	 * </pre>
+	 *
+	 * or if {@link #setBlock(boolean)} is true
+	 *
+	 *
+	 * <pre>
+	 * X-XSS-Protection: 1; mode=block
+	 * </pre>
+	 *
+	 * If false, will explicitly disable specify that X-XSS-Protection is disabled. For
+	 * example:
+	 *
+	 * <pre>
+	 * X-XSS-Protection: 0
+	 * </pre>
+	 *
+	 * @param enabled the new value
+	 */
+	public void setEnabled(boolean enabled) {
+		if (!enabled) {
+			setBlock(false);
+		}
+		this.enabled = enabled;
+		updateDelegate();
+	}
+
+	/**
+	 * If false, will not specify the mode as blocked. In this instance, any content will
+	 * be attempted to be fixed. If true, the content will be replaced with "#".
+	 *
+	 * @param block the new value
+	 */
+	public void setBlock(boolean block) {
+		if (!enabled && block) {
+			throw new IllegalArgumentException(
+					"Cannot set block to true with enabled false");
+		}
+		this.block = block;
+		updateDelegate();
+	}
+
+	private void updateDelegate() {
+
+		this.delegate = StaticHttpHeadersWriter.builder()
+				.header(X_XSS_PROTECTION, createHeaderValue())
+				.build();
+	}
+
+	private String createHeaderValue() {
+		if (!enabled) {
+			return  "0";
+		}
+		if(!block) {
+			return "1";
+		}
+		return "1 ; mode=block";
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/util/matcher/AndServerWebExchangeMatcher.java

@@ -0,0 +1,62 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.util.matcher;
+
+import org.springframework.util.Assert;
+import org.springframework.web.server.ServerWebExchange;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class AndServerWebExchangeMatcher implements ServerWebExchangeMatcher {
+	private final List<ServerWebExchangeMatcher> matchers;
+
+	public AndServerWebExchangeMatcher(List<ServerWebExchangeMatcher> matchers) {
+		Assert.notEmpty(matchers, "matchers cannot be empty");
+		this.matchers = matchers;
+	}
+
+	public AndServerWebExchangeMatcher(ServerWebExchangeMatcher... matchers) {
+		this(Arrays.asList(matchers));
+	}
+
+	/* (non-Javadoc)
+	 * @see org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher#matches(org.springframework.web.server.ServerWebExchange)
+	 */
+	@Override
+	public MatchResult matches(ServerWebExchange exchange) {
+		Map<String, Object> variables = new HashMap<>();
+		return matchers.stream()
+			.map(m -> m.matches(exchange))
+			.peek( m -> variables.putAll(m.getVariables()))
+			.allMatch(m -> m.isMatch()) ? MatchResult.match(variables) : MatchResult.notMatch();
+	}
+
+	@Override
+	public String toString() {
+		return "AndServerWebExchangeMatcher{" +
+				"matchers=" + matchers +
+				'}';
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/util/matcher/OrServerWebExchangeMatcher.java

@@ -0,0 +1,62 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.util.matcher;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.function.Predicate;
+
+import org.springframework.util.Assert;
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class OrServerWebExchangeMatcher implements ServerWebExchangeMatcher {
+	private final List<ServerWebExchangeMatcher> matchers;
+
+	public OrServerWebExchangeMatcher(List<ServerWebExchangeMatcher> matchers) {
+		Assert.notEmpty(matchers, "matchers cannot be empty");
+		this.matchers = matchers;
+	}
+
+
+	public OrServerWebExchangeMatcher(ServerWebExchangeMatcher... matchers) {
+		this(Arrays.asList(matchers));
+	}
+
+	/* (non-Javadoc)
+	 * @see org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher#matches(org.springframework.web.server.ServerWebExchange)
+	 */
+	@Override
+	public MatchResult matches(ServerWebExchange exchange) {
+		return matchers.stream()
+			.map(m -> m.matches(exchange))
+			.filter(m -> m.isMatch())
+			.findFirst()
+			.orElse(MatchResult.notMatch());
+	}
+
+	@Override
+	public String toString() {
+		return "OrServerWebExchangeMatcher{" +
+				"matchers=" + matchers +
+				'}';
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/util/matcher/PathMatcherServerWebExchangeMatcher.java

@@ -0,0 +1,81 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.util.matcher;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.Assert;
+import org.springframework.util.PathMatcher;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.support.HttpRequestPathHelper;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public final class PathMatcherServerWebExchangeMatcher implements ServerWebExchangeMatcher {
+	private HttpRequestPathHelper helper = new HttpRequestPathHelper();
+
+	private PathMatcher pathMatcher = new AntPathMatcher();
+
+	private final String pattern;
+	private final HttpMethod method;
+
+	public PathMatcherServerWebExchangeMatcher(String pattern) {
+		this(pattern, null);
+	}
+
+	public PathMatcherServerWebExchangeMatcher(String pattern, HttpMethod method) {
+		Assert.notNull(pattern, "pattern cannot be null");
+		this.pattern = pattern;
+		this.method = method;
+	}
+
+	@Override
+	public MatchResult matches(ServerWebExchange exchange) {
+		ServerHttpRequest request = exchange.getRequest();
+		if(this.method != null && !this.method.equals(request.getMethod())) {
+			return MatchResult.notMatch();
+		}
+		String path = helper.getLookupPathForRequest(exchange);
+		boolean match = pathMatcher.match(pattern, path);
+		if(!match) {
+			return MatchResult.notMatch();
+		}
+		Map<String,String> pathVariables = pathMatcher.extractUriTemplateVariables(pattern, path);
+		Map<String,Object> variables = new HashMap<>(pathVariables);
+		return MatchResult.match(variables);
+	}
+
+	public void setPathMatcher(PathMatcher pathMatcher) {
+		Assert.notNull(pathMatcher, "pathMatcher cannot be null");
+		this.pathMatcher = pathMatcher;
+	}
+
+	@Override
+	public String toString() {
+		return "PathMatcherServerWebExchangeMatcher{" +
+				"pattern='" + pattern + '\'' +
+				", method=" + method +
+				'}';
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/util/matcher/ServerWebExchangeMatcher.java

@@ -0,0 +1,63 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.util.matcher;
+
+import java.util.Collections;
+import java.util.Map;
+
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public interface ServerWebExchangeMatcher {
+
+	MatchResult matches(ServerWebExchange exchange);
+
+	class MatchResult {
+		private final boolean match;
+		private final Map<String,Object> variables;
+
+		private MatchResult(boolean match, Map<String, Object> variables) {
+			this.match = match;
+			this.variables = variables;
+		}
+
+		public boolean isMatch() {
+			return match;
+		}
+
+		public Map<String,Object> getVariables() {
+			return variables;
+		}
+
+		public static MatchResult match() {
+			return match(Collections.emptyMap());
+		}
+
+		public static MatchResult match(Map<String,Object> variables) {
+			return new MatchResult(true, variables);
+		}
+
+		public static MatchResult notMatch() {
+			return new MatchResult(false, Collections.emptyMap());
+		}
+	}
+}

webflux/src/main/java/org/springframework/security/web/server/util/matcher/ServerWebExchangeMatchers.java

@@ -0,0 +1,59 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.util.matcher;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.web.server.ServerWebExchange;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public abstract class ServerWebExchangeMatchers {
+
+	public static ServerWebExchangeMatcher antMatchers(HttpMethod method, String... patterns) {
+		List<ServerWebExchangeMatcher> matchers = new ArrayList<>(patterns.length);
+		for (String pattern : patterns) {
+			matchers.add(new PathMatcherServerWebExchangeMatcher(pattern, method));
+		}
+		return new OrServerWebExchangeMatcher(matchers);
+	}
+
+	public static ServerWebExchangeMatcher antMatchers(String... patterns) {
+		return antMatchers(null, patterns);
+	}
+
+	public static ServerWebExchangeMatcher matchers(ServerWebExchangeMatcher... matchers) {
+		return new OrServerWebExchangeMatcher(matchers);
+	}
+
+	public static ServerWebExchangeMatcher anyExchange() {
+		return new ServerWebExchangeMatcher() {
+			@Override
+			public MatchResult matches(ServerWebExchange exchange) {
+				return ServerWebExchangeMatcher.MatchResult.match();
+			}
+		};
+	}
+
+	private ServerWebExchangeMatchers() {
+	}
+}

webflux/src/test/java/org/springframework/security/test/web/reactive/server/WebTestClientBuilder.java

@@ -0,0 +1,50 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.test.web.reactive.server;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.test.web.reactive.server.WebTestClient.Builder;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.server.WebFilter;
+
+/**
+ * Provides a convenient mechanism for running {@link WebTestClient} against
+ * {@link WebFilter}
+ *
+ * @author Rob Winch
+ * @since 5.0
+ *
+ */
+public class WebTestClientBuilder {
+
+	public static Builder bindToWebFilters(WebFilter... webFilters) {
+		return WebTestClient.bindToController(new Http200RestController()).webFilter(webFilters).configureClient();
+	}
+
+	@RestController
+	static class Http200RestController {
+		@RequestMapping("/**")
+		@ResponseStatus(HttpStatus.OK)
+		public String ok() {
+			return "ok";
+		}
+	}
+}

webflux/src/test/java/org/springframework/security/test/web/reactive/server/WebTestHandler.java

@@ -0,0 +1,63 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.test.web.reactive.server;
+
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest.BaseBuilder;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebHandler;
+import org.springframework.web.server.handler.FilteringWebHandler;
+
+import reactor.core.publisher.Mono;
+
+import java.util.Arrays;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class WebTestHandler {
+	private final WebHandler handler;
+
+	private WebTestHandler(WebHandler handler) {
+		this.handler = handler;
+	}
+
+	public WebHandlerResult exchange(BaseBuilder<?> baseBuilder) {
+		ServerWebExchange exchange = baseBuilder.toExchange();
+		handler.handle(exchange).block();
+		return new WebHandlerResult(exchange);
+	}
+
+	public static class WebHandlerResult {
+		private final ServerWebExchange exchange;
+
+		private WebHandlerResult(ServerWebExchange exchange) {
+			this.exchange = exchange;
+		}
+
+		public ServerWebExchange getExchange() {
+			return exchange;
+		}
+	}
+
+	public static WebTestHandler bindToWebFilters(WebFilter... filters) {
+		return new WebTestHandler(new FilteringWebHandler(exchange -> Mono.empty(), Arrays.asList(filters)));
+	}
+}

webflux/src/test/java/org/springframework/security/web/method/ResolvableMethod.java

@@ -0,0 +1,679 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.method;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Method;
+import java.lang.reflect.Parameter;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.function.Consumer;
+import java.util.function.Predicate;
+import java.util.function.Supplier;
+
+import org.aopalliance.intercept.MethodInterceptor;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.aop.framework.ProxyFactory;
+import org.springframework.aop.target.EmptyTargetSource;
+import org.springframework.cglib.core.SpringNamingPolicy;
+import org.springframework.cglib.proxy.Callback;
+import org.springframework.cglib.proxy.Enhancer;
+import org.springframework.cglib.proxy.Factory;
+import org.springframework.cglib.proxy.MethodProxy;
+import org.springframework.core.LocalVariableTableParameterNameDiscoverer;
+import org.springframework.core.MethodIntrospector;
+import org.springframework.core.MethodParameter;
+import org.springframework.core.ParameterNameDiscoverer;
+import org.springframework.core.ResolvableType;
+import org.springframework.core.annotation.AnnotatedElementUtils;
+import org.springframework.core.annotation.AnnotationUtils;
+import org.springframework.core.annotation.SynthesizingMethodParameter;
+import org.springframework.objenesis.ObjenesisException;
+import org.springframework.objenesis.SpringObjenesis;
+import org.springframework.util.Assert;
+import org.springframework.util.ObjectUtils;
+import org.springframework.util.ReflectionUtils;
+import org.springframework.web.bind.annotation.ValueConstants;
+
+import static java.util.stream.Collectors.joining;
+
+/**
+ * Convenience class to resolve method parameters from hints.
+ *
+ * <h1>Background</h1>
+ *
+ * <p>When testing annotated methods we create test classes such as
+ * "TestController" with a diverse range of method signatures representing
+ * supported annotations and argument types. It becomes challenging to use
+ * naming strategies to keep track of methods and arguments especially in
+ * combination with variables for reflection metadata.
+ *
+ * <p>The idea with {@link ResolvableMethod} is NOT to rely on naming techniques
+ * but to use hints to zero in on method parameters. Such hints can be strongly
+ * typed and explicit about what is being tested.
+ *
+ * <h2>1. Declared Return Type</h2>
+ *
+ * When testing return types it's likely to have many methods with a unique
+ * return type, possibly with or without an annotation.
+ *
+ * <pre>
+ *
+ * import static org.springframework.web.method.ResolvableMethod.on;
+ * import static org.springframework.web.method.MvcAnnotationPredicates.requestMapping;
+ *
+ * // Return type
+ * on(TestController.class).resolveReturnType(Foo.class);
+ * on(TestController.class).resolveReturnType(List.class, Foo.class);
+ * on(TestController.class).resolveReturnType(Mono.class, responseEntity(Foo.class));
+ *
+ * // Annotation + return type
+ * on(TestController.class).annotPresent(RequestMapping.class).resolveReturnType(Bar.class);
+ *
+ * // Annotation not present
+ * on(TestController.class).annotNotPresent(RequestMapping.class).resolveReturnType();
+ *
+ * // Annotation with attributes
+ * on(TestController.class).annot(requestMapping("/foo").params("p")).resolveReturnType();
+ * </pre>
+ *
+ * <h2>2. Method Arguments</h2>
+ *
+ * When testing method arguments it's more likely to have one or a small number
+ * of methods with a wide array of argument types and parameter annotations.
+ *
+ * <pre>
+ *
+ * import static org.springframework.web.method.MvcAnnotationPredicates.requestParam;
+ *
+ * ResolvableMethod testMethod = ResolvableMethod.on(getClass()).named("handle").build();
+ *
+ * testMethod.arg(Foo.class);
+ * testMethod.annotPresent(RequestParam.class).arg(Integer.class);
+ * testMethod.annotNotPresent(RequestParam.class)).arg(Integer.class);
+ * testMethod.annot(requestParam().name("c").notRequired()).arg(Integer.class);
+ * </pre>
+ *
+ * <h3>3. Mock Handler Method Invocation</h3>
+ *
+ * Locate a method by invoking it through a proxy of the target handler:
+ *
+ * <pre>
+ *
+ * ResolvableMethod.on(TestController.class).mockCall(o -> o.handle(null)).method();
+ * </pre>
+ *
+ * @author Rossen Stoyanchev
+ * @since 5.0
+ */
+public class ResolvableMethod {
+
+	private static final Log logger = LogFactory.getLog(ResolvableMethod.class);
+
+	private static final SpringObjenesis objenesis = new SpringObjenesis();
+
+	private static final ParameterNameDiscoverer nameDiscoverer =
+		new LocalVariableTableParameterNameDiscoverer();
+
+
+	private final Method method;
+
+
+	private ResolvableMethod(Method method) {
+		Assert.notNull(method, "method is required");
+		this.method = method;
+	}
+
+
+	/**
+	 * Return the resolved method.
+	 */
+	public Method method() {
+		return this.method;
+	}
+
+	/**
+	 * Return the declared return type of the resolved method.
+	 */
+	public MethodParameter returnType() {
+		return new SynthesizingMethodParameter(this.method, -1);
+	}
+
+	/**
+	 * Find a unique argument matching the given type.
+	 * @param type the expected type
+	 * @param generics optional array of generic types
+	 */
+	public MethodParameter arg(Class<?> type, Class<?>... generics) {
+		return new ArgResolver().arg(type, generics);
+	}
+
+	/**
+	 * Find a unique argument matching the given type.
+	 * @param type the expected type
+	 * @param generic at least one generic type
+	 * @param generics optional array of generic types
+	 */
+	public MethodParameter arg(Class<?> type, ResolvableType generic, ResolvableType... generics) {
+		return new ArgResolver().arg(type, generic, generics);
+	}
+
+	/**
+	 * Find a unique argument matching the given type.
+	 * @param type the expected type
+	 */
+	public MethodParameter arg(ResolvableType type) {
+		return new ArgResolver().arg(type);
+	}
+
+	/**
+	 * Filter on method arguments with annotation.
+	 * See {@link MvcAnnotationPredicates}.
+	 */
+	@SafeVarargs
+	public final ArgResolver annot(Predicate<MethodParameter>... filter) {
+		return new ArgResolver(filter);
+	}
+
+	@SafeVarargs
+	public final ArgResolver annotPresent(Class<? extends Annotation>... annotationTypes) {
+		return new ArgResolver().annotPresent(annotationTypes);
+	}
+
+	/**
+	 * Filter on method arguments that don't have the given annotation type(s).
+	 * @param annotationTypes the annotation types
+	 */
+	@SafeVarargs
+	public final ArgResolver annotNotPresent(Class<? extends Annotation>... annotationTypes) {
+		return new ArgResolver().annotNotPresent(annotationTypes);
+	}
+
+
+	@Override
+	public String toString() {
+		return "ResolvableMethod=" + formatMethod();
+	}
+
+	private String formatMethod() {
+		return this.method().getName() +
+			Arrays.stream(this.method.getParameters())
+				.map(this::formatParameter)
+				.collect(joining(",\n\t", "(\n\t", "\n)"));
+	}
+
+	private String formatParameter(Parameter param) {
+		Annotation[] annot = param.getAnnotations();
+		return annot.length > 0 ?
+			Arrays.stream(annot).map(this::formatAnnotation).collect(joining(",", "[", "]")) + " " + param :
+			param.toString();
+	}
+
+	private String formatAnnotation(Annotation annotation) {
+		Map<String, Object> map = AnnotationUtils.getAnnotationAttributes(annotation);
+		map.forEach((key, value) -> {
+			if (value.equals(ValueConstants.DEFAULT_NONE)) {
+				map.put(key, "NONE");
+			}
+		});
+		return annotation.annotationType().getName() + map;
+	}
+
+	private static ResolvableType toResolvableType(Class<?> type, Class<?>... generics) {
+		return ObjectUtils.isEmpty(generics) ?
+			ResolvableType.forClass(type) :
+			ResolvableType.forClassWithGenerics(type, generics);
+	}
+
+	private static ResolvableType toResolvableType(Class<?> type, ResolvableType generic, ResolvableType... generics) {
+		ResolvableType[] genericTypes = new ResolvableType[generics.length + 1];
+		genericTypes[0] = generic;
+		System.arraycopy(generics, 0, genericTypes, 1, generics.length);
+		return ResolvableType.forClassWithGenerics(type, genericTypes);
+	}
+
+
+	/**
+	 * Main entry point providing access to a {@code ResolvableMethod} builder.
+	 */
+	public static <T> Builder<T> on(Class<T> objectClass) {
+		return new Builder<>(objectClass);
+	}
+
+
+	/**
+	 * Builder for {@code ResolvableMethod}.
+	 */
+	public static class Builder<T> {
+
+		private final Class<?> objectClass;
+
+		private final List<Predicate<Method>> filters = new ArrayList<>(4);
+
+
+		private Builder(Class<?> objectClass) {
+			Assert.notNull(objectClass, "Class must not be null");
+			this.objectClass = objectClass;
+		}
+
+
+		private void addFilter(String message, Predicate<Method> filter) {
+			this.filters.add(new LabeledPredicate<>(message, filter));
+		}
+
+		/**
+		 * Filter on methods with the given name.
+		 */
+		public Builder<T> named(String methodName) {
+			addFilter("methodName=" + methodName, m -> m.getName().equals(methodName));
+			return this;
+		}
+
+		/**
+		 * Filter on annotated methods.
+		 * See {@link MvcAnnotationPredicates}.
+		 */
+		@SafeVarargs
+		public final Builder<T> annot(Predicate<Method>... filters) {
+			this.filters.addAll(Arrays.asList(filters));
+			return this;
+		}
+
+		/**
+		 * Filter on methods annotated with the given annotation type.
+		 * @see #annot(Predicate[])
+		 * @see MvcAnnotationPredicates
+		 */
+		@SafeVarargs
+		public final Builder<T> annotPresent(Class<? extends Annotation>... annotationTypes) {
+			String message = "annotationPresent=" + Arrays.toString(annotationTypes);
+			addFilter(message, method ->
+				Arrays.stream(annotationTypes).allMatch(annotType ->
+					AnnotatedElementUtils.findMergedAnnotation(method, annotType) != null));
+			return this;
+		}
+
+		/**
+		 * Filter on methods not annotated with the given annotation type.
+		 */
+		@SafeVarargs
+		public final Builder<T> annotNotPresent(Class<? extends Annotation>... annotationTypes) {
+			String message = "annotationNotPresent=" + Arrays.toString(annotationTypes);
+			addFilter(message, method -> {
+				if (annotationTypes.length != 0) {
+					return Arrays.stream(annotationTypes).noneMatch(annotType ->
+						AnnotatedElementUtils.findMergedAnnotation(method, annotType) != null);
+				}
+				else {
+					return method.getAnnotations().length == 0;
+				}
+			});
+			return this;
+		}
+
+		/**
+		 * Filter on methods returning the given type.
+		 * @param returnType the return type
+		 * @param generics optional array of generic types
+		 */
+		public Builder<T> returning(Class<?> returnType, Class<?>... generics) {
+			return returning(toResolvableType(returnType, generics));
+		}
+
+		/**
+		 * Filter on methods returning the given type with generics.
+		 * @param returnType the return type
+		 * @param generic at least one generic type
+		 * @param generics optional extra generic types
+		 */
+		public Builder<T> returning(Class<?> returnType, ResolvableType generic, ResolvableType... generics) {
+			return returning(toResolvableType(returnType, generic, generics));
+		}
+
+		/**
+		 * Filter on methods returning the given type.
+		 * @param returnType the return type
+		 */
+		public Builder<T> returning(ResolvableType returnType) {
+			String expected = returnType.toString();
+			String message = "returnType=" + expected;
+			addFilter(message, m -> expected.equals(ResolvableType.forMethodReturnType(m).toString()));
+			return this;
+		}
+
+		/**
+		 * Build a {@code ResolvableMethod} from the provided filters which must
+		 * resolve to a unique, single method.
+		 *
+		 * <p>See additional resolveXxx shortcut methods going directly to
+		 * {@link Method} or return type parameter.
+		 *
+		 * @throws IllegalStateException for no match or multiple matches
+		 */
+		public ResolvableMethod build() {
+			Set<Method> methods = MethodIntrospector.selectMethods(this.objectClass, this::isMatch);
+			Assert.state(!methods.isEmpty(), "No matching method: " + this);
+			Assert.state(methods.size() == 1, "Multiple matching methods: " + this + formatMethods(methods));
+			return new ResolvableMethod(methods.iterator().next());
+		}
+
+		private boolean isMatch(Method method) {
+			return this.filters.stream().allMatch(p -> p.test(method));
+		}
+
+		private String formatMethods(Set<Method> methods) {
+			return "\nMatched:\n" + methods.stream()
+				.map(Method::toGenericString).collect(joining(",\n\t", "[\n\t", "\n]"));
+		}
+
+		public ResolvableMethod mockCall(Consumer<T> invoker) {
+			MethodInvocationInterceptor interceptor = new MethodInvocationInterceptor();
+			T proxy = initProxy(this.objectClass, interceptor);
+			invoker.accept(proxy);
+			Method method = interceptor.getInvokedMethod();
+			return new ResolvableMethod(method);
+		}
+
+
+		// Build & resolve shortcuts...
+
+		/**
+		 * Resolve and return the {@code Method} equivalent to:
+		 * <p>{@code build().method()}
+		 */
+		public final Method resolveMethod() {
+			return build().method();
+		}
+
+		/**
+		 * Resolve and return the {@code Method} equivalent to:
+		 * <p>{@code named(methodName).build().method()}
+		 */
+		public Method resolveMethod(String methodName) {
+			return named(methodName).build().method();
+		}
+
+		/**
+		 * Resolve and return the declared return type equivalent to:
+		 * <p>{@code build().returnType()}
+		 */
+		public final MethodParameter resolveReturnType() {
+			return build().returnType();
+		}
+
+		/**
+		 * Shortcut to the unique return type equivalent to:
+		 * <p>{@code returning(returnType).build().returnType()}
+		 * @param returnType the return type
+		 * @param generics optional array of generic types
+		 */
+		public MethodParameter resolveReturnType(Class<?> returnType, Class<?>... generics) {
+			return returning(returnType, generics).build().returnType();
+		}
+
+		/**
+		 * Shortcut to the unique return type equivalent to:
+		 * <p>{@code returning(returnType).build().returnType()}
+		 * @param returnType the return type
+		 * @param generic at least one generic type
+		 * @param generics optional extra generic types
+		 */
+		public MethodParameter resolveReturnType(Class<?> returnType, ResolvableType generic,
+												 ResolvableType... generics) {
+
+			return returning(returnType, generic, generics).build().returnType();
+		}
+
+		public MethodParameter resolveReturnType(ResolvableType returnType) {
+			return returning(returnType).build().returnType();
+		}
+
+
+		@Override
+		public String toString() {
+			return "ResolvableMethod.Builder[\n" +
+				"\tobjectClass = " + this.objectClass.getName() + ",\n" +
+				"\tfilters = " + formatFilters() + "\n]";
+		}
+
+		private String formatFilters() {
+			return this.filters.stream().map(Object::toString)
+				.collect(joining(",\n\t\t", "[\n\t\t", "\n\t]"));
+		}
+	}
+
+	/**
+	 * Predicate with a descriptive label.
+	 */
+	private static class LabeledPredicate<T> implements Predicate<T> {
+
+		private final String label;
+
+		private final Predicate<T> delegate;
+
+
+		private LabeledPredicate(String label, Predicate<T> delegate) {
+			this.label = label;
+			this.delegate = delegate;
+		}
+
+
+		@Override
+		public boolean test(T method) {
+			return this.delegate.test(method);
+		}
+
+		@Override
+		public Predicate<T> and(Predicate<? super T> other) {
+			return this.delegate.and(other);
+		}
+
+		@Override
+		public Predicate<T> negate() {
+			return this.delegate.negate();
+		}
+
+		@Override
+		public Predicate<T> or(Predicate<? super T> other) {
+			return this.delegate.or(other);
+		}
+
+		@Override
+		public String toString() {
+			return this.label;
+		}
+	}
+
+	/**
+	 * Resolver for method arguments.
+	 */
+	public class ArgResolver {
+
+		private final List<Predicate<MethodParameter>> filters = new ArrayList<>(4);
+
+
+		@SafeVarargs
+		private ArgResolver(Predicate<MethodParameter>... filter) {
+			this.filters.addAll(Arrays.asList(filter));
+		}
+
+		/**
+		 * Filter on method arguments with annotations.
+		 * See {@link MvcAnnotationPredicates}.
+		 */
+		@SafeVarargs
+		public final ArgResolver annot(Predicate<MethodParameter>... filters) {
+			this.filters.addAll(Arrays.asList(filters));
+			return this;
+		}
+
+		/**
+		 * Filter on method arguments that have the given annotations.
+		 * @param annotationTypes the annotation types
+		 * @see #annot(Predicate[])
+		 * @see MvcAnnotationPredicates
+		 */
+		@SafeVarargs
+		public final ArgResolver annotPresent(Class<? extends Annotation>... annotationTypes) {
+			this.filters.add(param -> Arrays.stream(annotationTypes).allMatch(param::hasParameterAnnotation));
+			return this;
+		}
+
+		/**
+		 * Filter on method arguments that don't have the given annotations.
+		 * @param annotationTypes the annotation types
+		 */
+		@SafeVarargs
+		public final ArgResolver annotNotPresent(Class<? extends Annotation>... annotationTypes) {
+			this.filters.add(param ->
+				(annotationTypes.length != 0) ?
+					Arrays.stream(annotationTypes).noneMatch(param::hasParameterAnnotation) :
+					param.getParameterAnnotations().length == 0);
+			return this;
+		}
+
+		/**
+		 * Resolve the argument also matching to the given type.
+		 * @param type the expected type
+		 */
+		public MethodParameter arg(Class<?> type, Class<?>... generics) {
+			return arg(toResolvableType(type, generics));
+		}
+
+		/**
+		 * Resolve the argument also matching to the given type.
+		 * @param type the expected type
+		 */
+		public MethodParameter arg(Class<?> type, ResolvableType generic, ResolvableType... generics) {
+			return arg(toResolvableType(type, generic, generics));
+		}
+
+		/**
+		 * Resolve the argument also matching to the given type.
+		 * @param type the expected type
+		 */
+		public MethodParameter arg(ResolvableType type) {
+			this.filters.add(p -> type.toString().equals(ResolvableType.forMethodParameter(p).toString()));
+			return arg();
+		}
+
+		/**
+		 * Resolve the argument.
+		 */
+		public final MethodParameter arg() {
+			List<MethodParameter> matches = applyFilters();
+			Assert.state(!matches.isEmpty(), () ->
+				"No matching arg in method\n" + formatMethod());
+			Assert.state(matches.size() == 1, () ->
+				"Multiple matching args in method\n" + formatMethod() + "\nMatches:\n\t" + matches);
+			return matches.get(0);
+		}
+
+
+		private List<MethodParameter> applyFilters() {
+			List<MethodParameter> matches = new ArrayList<>();
+			for (int i = 0; i < method.getParameterCount(); i++) {
+				MethodParameter param = new SynthesizingMethodParameter(method, i);
+				param.initParameterNameDiscovery(nameDiscoverer);
+				if (this.filters.stream().allMatch(p -> p.test(param))) {
+					matches.add(param);
+				}
+			}
+			return matches;
+		}
+	}
+
+	private static class MethodInvocationInterceptor
+		implements org.springframework.cglib.proxy.MethodInterceptor, MethodInterceptor {
+
+		private Method invokedMethod;
+
+
+		Method getInvokedMethod() {
+			return this.invokedMethod;
+		}
+
+		@Override
+		public Object intercept(Object object, Method method, Object[] args, MethodProxy proxy) {
+			if (ReflectionUtils.isObjectMethod(method)) {
+				return ReflectionUtils.invokeMethod(method, object, args);
+			}
+			else {
+				this.invokedMethod = method;
+				return null;
+			}
+		}
+
+		@Override
+		public Object invoke(org.aopalliance.intercept.MethodInvocation inv) throws Throwable {
+			return intercept(inv.getThis(), inv.getMethod(), inv.getArguments(), null);
+		}
+	}
+
+	@SuppressWarnings("unchecked")
+	private static <T> T initProxy(Class<?> type, MethodInvocationInterceptor interceptor) {
+		Assert.notNull(type, "'type' must not be null");
+		if (type.isInterface()) {
+			ProxyFactory factory = new ProxyFactory(EmptyTargetSource.INSTANCE);
+			factory.addInterface(type);
+			factory.addInterface(Supplier.class);
+			factory.addAdvice(interceptor);
+			return (T) factory.getProxy();
+		}
+
+		else {
+			Enhancer enhancer = new Enhancer();
+			enhancer.setSuperclass(type);
+			enhancer.setInterfaces(new Class<?>[] {Supplier.class});
+			enhancer.setNamingPolicy(SpringNamingPolicy.INSTANCE);
+			enhancer.setCallbackType(org.springframework.cglib.proxy.MethodInterceptor.class);
+
+			Class<?> proxyClass = enhancer.createClass();
+			Object proxy = null;
+
+			if (objenesis.isWorthTrying()) {
+				try {
+					proxy = objenesis.newInstance(proxyClass, enhancer.getUseCache());
+				}
+				catch (ObjenesisException ex) {
+					logger.debug("Objenesis failed, falling back to default constructor", ex);
+				}
+			}
+
+			if (proxy == null) {
+				try {
+					proxy = ReflectionUtils.accessibleConstructor(proxyClass).newInstance();
+				}
+				catch (Throwable ex) {
+					throw new IllegalStateException("Unable to instantiate proxy " +
+						"via both Objenesis and default constructor fails as well", ex);
+				}
+			}
+
+			((Factory) proxy).setCallbacks(new Callback[] {interceptor});
+			return (T) proxy;
+		}
+	}
+
+}

webflux/src/test/java/org/springframework/security/web/reactive/result/method/annotation/AuthenticationPrincipalArgumentResolverTests.java

@@ -0,0 +1,167 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.reactive.result.method.annotation;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.core.MethodParameter;
+import org.springframework.core.ReactiveAdapterRegistry;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.web.method.ResolvableMethod;
+import org.springframework.web.reactive.BindingContext;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+import java.lang.annotation.*;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.when;
+
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class AuthenticationPrincipalArgumentResolverTests {
+	@Mock
+	ServerWebExchange exchange;
+	@Mock
+	BindingContext bindingContext;
+	@Mock
+	Authentication authentication;
+
+	ResolvableMethod authenticationPrincipal = ResolvableMethod.on(getClass()).named("authenticationPrincipal").build();
+	ResolvableMethod spel = ResolvableMethod.on(getClass()).named("spel").build();
+	ResolvableMethod meta = ResolvableMethod.on(getClass()).named("meta").build();
+
+	AuthenticationPrincipalArgumentResolver resolver;
+
+	@Before
+	public void setup() {
+		resolver =  new AuthenticationPrincipalArgumentResolver(new ReactiveAdapterRegistry());
+	}
+
+	@Test
+	public void supportsParameterAuthenticationPrincipal() throws Exception {
+		assertThat(resolver.supportsParameter(this.authenticationPrincipal.arg(String.class))).isTrue();
+	}
+
+	@Test
+	public void supportsParameterCurrentUser() throws Exception {
+		assertThat(resolver.supportsParameter(this.meta.arg(String.class))).isTrue();
+	}
+
+	@Test
+	public void resolveArgumentWhenIsAuthenticationThenObtainsPrincipal() throws Exception {
+		MethodParameter parameter = this.authenticationPrincipal.arg(String.class);
+		when(authentication.getPrincipal()).thenReturn("user");
+		when(exchange.getPrincipal()).thenReturn(Mono.just(authentication));
+
+		Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
+
+		assertThat(argument.block()).isEqualTo(authentication.getPrincipal());
+	}
+
+	@Test
+	public void resolveArgumentWhenIsNotAuthenticationThenMonoEmpty() throws Exception {
+		MethodParameter parameter = this.authenticationPrincipal.arg(String.class);
+		when(exchange.getPrincipal()).thenReturn(Mono.just(() -> ""));
+
+		Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
+
+		assertThat(argument).isNotNull();
+		assertThat(argument.block()).isNull();
+	}
+
+	@Test
+	public void resolveArgumentWhenIsEmptyThenMonoEmpty() throws Exception {
+		MethodParameter parameter = this.authenticationPrincipal.arg(String.class);
+		when(authentication.getPrincipal()).thenReturn("user");
+		when(exchange.getPrincipal()).thenReturn(Mono.empty());
+
+		Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
+
+		assertThat(argument).isNotNull();
+		assertThat(argument.block()).isNull();
+	}
+
+	@Test
+	public void resolveArgumentWhenMonoIsAuthenticationThenObtainsPrincipal() throws Exception {
+		MethodParameter parameter = this.authenticationPrincipal.arg(Mono.class, String.class);
+		when(authentication.getPrincipal()).thenReturn("user");
+		when(exchange.getPrincipal()).thenReturn(Mono.just(authentication));
+
+		Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
+
+		assertThat(argument.cast(Mono.class).block().block()).isEqualTo(authentication.getPrincipal());
+	}
+
+	@Test
+	public void resolveArgumentWhenSpelThenObtainsPrincipal() throws Exception {
+		MyUser user = new MyUser(3L);
+		MethodParameter parameter = this.spel.arg(Long.class);
+		when(authentication.getPrincipal()).thenReturn(user);
+		when(exchange.getPrincipal()).thenReturn(Mono.just(authentication));
+
+		Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
+
+		assertThat(argument.block()).isEqualTo(user.getId());
+	}
+
+	@Test
+	public void resolveArgumentWhenMetaThenObtainsPrincipal() throws Exception {
+		MethodParameter parameter = this.meta.arg(String.class);
+		when(authentication.getPrincipal()).thenReturn("user");
+		when(exchange.getPrincipal()).thenReturn(Mono.just(authentication));
+
+		Mono<Object> argument = resolver.resolveArgument(parameter, bindingContext, exchange);
+
+		assertThat(argument.block()).isEqualTo("user");
+	}
+
+
+	void authenticationPrincipal(@AuthenticationPrincipal String principal, @AuthenticationPrincipal Mono<String> monoPrincipal) {}
+
+	void spel(@AuthenticationPrincipal(expression = "id") Long id) {}
+
+	void meta(@CurrentUser String principal) {}
+
+	static class MyUser {
+		private final Long id;
+
+		MyUser(Long id) {
+			this.id = id;
+		}
+
+		public Long getId() {
+			return id;
+		}
+	}
+
+	@Target({ ElementType.PARAMETER, ElementType.ANNOTATION_TYPE })
+	@Retention(RetentionPolicy.RUNTIME)
+	@Documented
+	@AuthenticationPrincipal
+	public @interface CurrentUser {}
+}

webflux/src/test/java/org/springframework/security/web/server/HttpBasicAuthenticationConverterTests.java

@@ -0,0 +1,83 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server;
+
+import org.junit.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class HttpBasicAuthenticationConverterTests {
+
+	HttpBasicAuthenticationConverter converter = new HttpBasicAuthenticationConverter();
+	MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/");
+
+	@Test
+	public void applyWhenNoAuthorizationHeaderThenEmpty() {
+		Mono<Authentication> result = converter.apply(request.toExchange());
+
+		assertThat(result.block()).isNull();
+	}
+
+	@Test
+	public void applyWhenEmptyAuthorizationHeaderThenEmpty() {
+		Mono<Authentication> result = converter.apply(request.header(HttpHeaders.AUTHORIZATION, "").toExchange());
+
+		assertThat(result.block()).isNull();
+	}
+
+	@Test
+	public void applyWhenOnlyBasicAuthorizationHeaderThenEmpty() {
+		Mono<Authentication> result = converter.apply(request.header(HttpHeaders.AUTHORIZATION, "Basic ").toExchange());
+
+		assertThat(result.block()).isNull();
+	}
+
+	@Test
+	public void applyWhenNotBase64ThenEmpty() {
+		Mono<Authentication> result = converter.apply(request.header(HttpHeaders.AUTHORIZATION, "Basic z").toExchange());
+
+		assertThat(result.block()).isNull();
+	}
+
+	@Test
+	public void applyWhenNoSemicolonThenEmpty() {
+		Mono<Authentication> result = converter.apply(request.header(HttpHeaders.AUTHORIZATION, "Basic dXNlcg==").toExchange());
+
+		assertThat(result.block()).isNull();
+	}
+
+	@Test
+	public void applyWhenUserPasswordThenAuthentication() {
+		Mono<Authentication> result = converter.apply(request.header(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd29yZA==").toExchange());
+
+		UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class).block();
+		assertThat(authentication.getPrincipal()).isEqualTo("user");
+		assertThat(authentication.getCredentials()).isEqualTo("password");
+	}
+}

webflux/src/test/java/org/springframework/security/web/server/authentication/AuthenticationWebFilterTests.java

@@ -0,0 +1,235 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.authentication;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
+import org.springframework.security.web.server.AuthenticationEntryPoint;
+import org.springframework.test.web.reactive.server.EntityExchangeResult;
+import org.springframework.test.web.reactive.server.WebTestClient;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+import java.util.function.Function;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.eq;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.when;
+import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication;
+
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class AuthenticationWebFilterTests {
+	@Mock
+	AuthenticationSuccessHandler successHandler;
+	@Mock
+	Function<ServerWebExchange,Mono<Authentication>> authenticationConverter;
+	@Mock
+	ReactiveAuthenticationManager authenticationManager;
+	@Mock
+	AuthenticationEntryPoint entryPoint;
+
+	AuthenticationWebFilter filter;
+
+	@Before
+	public void setup() {
+		filter = new AuthenticationWebFilter(authenticationManager);
+		filter.setAuthenticationSuccessHandler(successHandler);
+		filter.setAuthenticationConverter(authenticationConverter);
+		filter.setEntryPoint(entryPoint);
+	}
+
+	@Test
+	public void filterWhenDefaultsAndNoAuthenticationThenContinues() {
+		filter = new AuthenticationWebFilter(authenticationManager);
+
+		WebTestClient client = WebTestClientBuilder
+			.bindToWebFilters(filter)
+			.build();
+
+		EntityExchangeResult<byte[]> result = client.get()
+			.uri("/")
+			.exchange()
+			.expectStatus().isOk()
+			.expectBody().consumeAsStringWith(b -> assertThat(b).isEqualTo("ok"))
+			.returnResult();
+
+		verifyZeroInteractions(authenticationManager);
+		assertThat(result.getResponseCookies()).isEmpty();
+	}
+
+	@Test
+	public void filterWhenDefaultsAndAuthenticationSuccessThenContinues() {
+		when(authenticationManager.authenticate(any())).thenReturn(Mono.just(new TestingAuthenticationToken("test","this", "ROLE")));
+		filter = new AuthenticationWebFilter(authenticationManager);
+
+		WebTestClient client = WebTestClientBuilder
+			.bindToWebFilters(filter)
+			.build();
+
+		EntityExchangeResult<byte[]> result = client
+			.filter(basicAuthentication("test","this"))
+			.get()
+			.uri("/")
+			.exchange()
+			.expectStatus().isOk()
+			.expectBody().consumeAsStringWith(b -> assertThat(b).isEqualTo("ok"))
+			.returnResult();
+
+		assertThat(result.getResponseCookies()).isEmpty();
+	}
+
+	@Test
+	public void filterWhenDefaultsAndAuthenticationFailThenUnauthorized() {
+		when(authenticationManager.authenticate(any())).thenReturn(Mono.error(new BadCredentialsException("failed")));
+		filter = new AuthenticationWebFilter(authenticationManager);
+
+		WebTestClient client = WebTestClientBuilder
+			.bindToWebFilters(filter)
+			.build();
+
+		EntityExchangeResult<Void> result = client
+			.filter(basicAuthentication("test", "this"))
+			.get()
+			.uri("/")
+			.exchange()
+			.expectStatus().isUnauthorized()
+			.expectHeader().valueMatches("WWW-Authenticate", "Basic realm=\"Realm\"")
+			.expectBody().isEmpty();
+
+		assertThat(result.getResponseCookies()).isEmpty();
+	}
+
+	@Test
+	public void filterWhenConvertEmptyThenOk() {
+		when(authenticationConverter.apply(any())).thenReturn(Mono.empty());
+
+		WebTestClient client = WebTestClientBuilder
+			.bindToWebFilters(filter)
+			.build();
+
+		EntityExchangeResult<byte[]> result = client
+			.get()
+			.uri("/")
+			.exchange()
+			.expectStatus().isOk()
+			.expectBody().consumeAsStringWith(b -> assertThat(b).isEqualTo("ok"))
+			.returnResult();
+
+		verifyZeroInteractions(authenticationManager, successHandler, entryPoint);
+	}
+
+	@Test
+	public void filterWhenConvertErrorThenServerError() {
+		when(authenticationConverter.apply(any())).thenReturn(Mono.error(new RuntimeException("Unexpected")));
+
+		WebTestClient client = WebTestClientBuilder
+			.bindToWebFilters(filter)
+			.build();
+
+		client
+			.get()
+			.uri("/")
+			.exchange()
+			.expectStatus().is5xxServerError()
+			.expectBody().isEmpty();
+
+		verifyZeroInteractions(authenticationManager, successHandler, entryPoint);
+	}
+
+	@Test
+	public void filterWhenConvertAndAuthenticationSuccessThenSuccessHandler() {
+		Mono<Authentication> authentication = Mono.just(new TestingAuthenticationToken("test", "this", "ROLE_USER"));
+		when(authenticationConverter.apply(any())).thenReturn(authentication);
+		when(authenticationManager.authenticate(any())).thenReturn(authentication);
+		when(successHandler.success(any(),any(),any())).thenReturn(Mono.empty());
+
+		WebTestClient client = WebTestClientBuilder
+			.bindToWebFilters(filter)
+			.build();
+
+		client
+			.get()
+			.uri("/")
+			.exchange()
+			.expectStatus().isOk()
+			.expectBody().isEmpty();
+
+		verify(successHandler).success(eq(authentication.block()), any(), any());
+		verifyZeroInteractions(entryPoint);
+	}
+
+	@Test
+	public void filterWhenConvertAndAuthenticationFailThenEntryPoint() {
+		Mono<Authentication> authentication = Mono.just(new TestingAuthenticationToken("test", "this", "ROLE_USER"));
+		when(authenticationConverter.apply(any())).thenReturn(authentication);
+		when(authenticationManager.authenticate(any())).thenReturn(Mono.error(new BadCredentialsException("Failed")));
+		when(entryPoint.commence(any(),any())).thenReturn(Mono.empty());
+
+		WebTestClient client = WebTestClientBuilder
+			.bindToWebFilters(filter)
+			.build();
+
+		client
+			.get()
+			.uri("/")
+			.exchange()
+			.expectStatus().isOk()
+			.expectBody().isEmpty();
+
+		verify(entryPoint).commence(any(),any());
+		verifyZeroInteractions(successHandler);
+	}
+
+	@Test
+	public void filterWhenConvertAndAuthenticationExceptionThenServerError() {
+		Mono<Authentication> authentication = Mono.just(new TestingAuthenticationToken("test", "this", "ROLE_USER"));
+		when(authenticationConverter.apply(any())).thenReturn(authentication);
+		when(authenticationManager.authenticate(any())).thenReturn(Mono.error(new RuntimeException("Failed")));
+		when(entryPoint.commence(any(),any())).thenReturn(Mono.empty());
+
+		WebTestClient client = WebTestClientBuilder
+			.bindToWebFilters(filter)
+			.build();
+
+		client
+			.get()
+			.uri("/")
+			.exchange()
+			.expectStatus().is5xxServerError()
+			.expectBody().isEmpty();
+
+		verifyZeroInteractions(successHandler, entryPoint);
+	}
+}

webflux/src/test/java/org/springframework/security/web/server/context/SecurityContextRepositoryWebFilterTests.java

@@ -0,0 +1,92 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.context;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.security.test.web.reactive.server.WebTestHandler;
+import reactor.core.publisher.Mono;
+
+import java.security.Principal;
+
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.*;
+
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class SecurityContextRepositoryWebFilterTests {
+	@Mock
+	SecurityContextRepository repository;
+
+	MockServerHttpRequest.BaseBuilder<?> exchange = MockServerHttpRequest.get("/");
+
+	SecurityContextRepositoryWebFilter filter;
+
+	WebTestHandler filters;
+
+
+	@Before
+	public void setup() {
+		filter = new SecurityContextRepositoryWebFilter(repository);
+		filters = WebTestHandler.bindToWebFilters(filter);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void constructorNullSecurityContextRepository() {
+		SecurityContextRepository repository = null;
+		new SecurityContextRepositoryWebFilter(repository);
+	}
+
+	@Test
+	public void filterWhenNoPrincipalAccessThenNoInteractions() {
+		filters.exchange(exchange);
+
+		verifyZeroInteractions(repository);
+	}
+
+	@Test
+	public void filterWhenGetPrincipalMonoThenNoInteractions() {
+		filters = WebTestHandler.bindToWebFilters(filter, (e,c) -> {
+			Mono<Principal> p = e.getPrincipal();
+			return c.filter(e);
+		});
+
+		filters.exchange(exchange);
+
+		verifyZeroInteractions(repository);
+	}
+
+	@Test
+	public void filterWhenGetPrincipalThenInteract() {
+		when(repository.load(any())).thenReturn(Mono.empty());
+		filters = WebTestHandler.bindToWebFilters(filter, (e,c) -> e.getPrincipal().flatMap( p-> c.filter(e))) ;
+
+		filters.exchange(exchange);
+
+		verify(repository).load(any());
+	}
+}

webflux/src/test/java/org/springframework/security/web/server/header/CacheControlHttpHeadersWriterTests.java

@@ -0,0 +1,83 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ *
+ */
+public class CacheControlHttpHeadersWriterTests {
+	CacheControlHttpHeadersWriter writer = new CacheControlHttpHeadersWriter();
+
+	ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
+
+	HttpHeaders headers = exchange.getResponse().getHeaders();
+
+	@Test
+	public void writeHeadersWhenCacheHeadersThenWritesAllCacheControl() {
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers).hasSize(3);
+		assertThat(headers.get(HttpHeaders.CACHE_CONTROL)).containsOnly(CacheControlHttpHeadersWriter.CACHE_CONTRTOL_VALUE);
+		assertThat(headers.get(HttpHeaders.EXPIRES)).containsOnly(CacheControlHttpHeadersWriter.EXPIRES_VALUE);
+		assertThat(headers.get(HttpHeaders.PRAGMA)).containsOnly(CacheControlHttpHeadersWriter.PRAGMA_VALUE);
+	}
+
+	@Test
+	public void writeHeadersWhenCacheControlThenNoCacheControlHeaders() {
+		String cacheControl = "max-age=1234";
+
+		headers.set(HttpHeaders.CACHE_CONTROL, cacheControl);
+
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers.get(HttpHeaders.CACHE_CONTROL)).containsOnly(cacheControl);
+	}
+
+	@Test
+	public void writeHeadersWhenPragmaThenNoCacheControlHeaders() {
+		String pragma = "1";
+		headers.set(HttpHeaders.PRAGMA, pragma);
+
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(HttpHeaders.PRAGMA)).containsOnly(pragma);
+	}
+
+	@Test
+	public void writeHeadersWhenExpiresThenNoCacheControlHeaders() {
+		String expires = "1";
+		headers.set(HttpHeaders.EXPIRES, expires);
+
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(HttpHeaders.EXPIRES)).containsOnly(expires);
+	}
+
+}

webflux/src/test/java/org/springframework/security/web/server/header/CompositeHttpHeadersWriterTests.java

@@ -0,0 +1,102 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import java.util.Arrays;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.web.server.ServerWebExchange;
+
+import reactor.core.publisher.Mono;
+import reactor.test.StepVerifier;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class CompositeHttpHeadersWriterTests {
+	@Mock
+	HttpHeadersWriter writer1;
+
+	@Mock
+	HttpHeadersWriter writer2;
+
+	CompositeHttpHeadersWriter writer;
+
+	ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
+
+	@Before
+	public void setup() {
+		writer = new CompositeHttpHeadersWriter(Arrays.asList(writer1, writer2));
+	}
+
+	@Test
+	public void writeHttpHeadersWhenErrorNoErrorThenError() {
+		when(writer1.writeHttpHeaders(exchange)).thenReturn(Mono.error(new RuntimeException()));
+		when(writer2.writeHttpHeaders(exchange)).thenReturn(Mono.empty());
+
+		Mono<Void> result = writer.writeHttpHeaders(exchange);
+
+		StepVerifier.create(result)
+			.expectError()
+			.verify();
+
+		verify(writer1).writeHttpHeaders(exchange);
+		verify(writer2).writeHttpHeaders(exchange);
+	}
+
+	@Test
+	public void writeHttpHeadersWhenErrorErrorThenError() {
+		when(writer1.writeHttpHeaders(exchange)).thenReturn(Mono.error(new RuntimeException()));
+		when(writer2.writeHttpHeaders(exchange)).thenReturn(Mono.error(new RuntimeException()));
+
+		Mono<Void> result = writer.writeHttpHeaders(exchange);
+
+		StepVerifier.create(result)
+			.expectError()
+			.verify();
+
+		verify(writer1).writeHttpHeaders(exchange);
+		verify(writer2).writeHttpHeaders(exchange);
+	}
+
+	@Test
+	public void writeHttpHeadersWhenNoErrorThenNoError() {
+		when(writer1.writeHttpHeaders(exchange)).thenReturn(Mono.empty());
+		when(writer2.writeHttpHeaders(exchange)).thenReturn(Mono.empty());
+
+		Mono<Void> result = writer.writeHttpHeaders(exchange);
+
+		StepVerifier.create(result)
+			.expectComplete()
+			.verify();
+
+		verify(writer1).writeHttpHeaders(exchange);
+		verify(writer2).writeHttpHeaders(exchange);
+	}
+}

webflux/src/test/java/org/springframework/security/web/server/header/HttpHeaderWriterWebFilterTests.java

@@ -0,0 +1,77 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.security.test.web.reactive.server.WebTestHandler;
+import org.springframework.security.test.web.reactive.server.WebTestHandler.WebHandlerResult;
+import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+import reactor.core.publisher.Mono;
+
+/**
+ *
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class HttpHeaderWriterWebFilterTests {
+	@Mock
+	HttpHeadersWriter writer;
+
+	HttpHeaderWriterWebFilter filter;
+
+	@Before
+	public void setup() {
+		when(writer.writeHttpHeaders(any())).thenReturn(Mono.empty());
+		filter = new HttpHeaderWriterWebFilter(writer);
+	}
+
+	@Test
+	public void filterWhenCompleteThenWritten() {
+		WebTestClient rest = WebTestClientBuilder.bindToWebFilters(filter).build();
+
+		rest.get().uri("/foo").exchange();
+
+		verify(writer).writeHttpHeaders(any());
+	}
+
+	@Test
+	public void filterWhenNotCompleteThenNotWritten() {
+		WebTestHandler handler = WebTestHandler.bindToWebFilters(filter);
+
+		WebHandlerResult result = handler.exchange(MockServerHttpRequest.get("/foo"));
+
+		verify(writer, never()).writeHttpHeaders(any());
+
+		result.getExchange().getResponse().setComplete();
+
+		verify(writer).writeHttpHeaders(any());
+	}
+}

webflux/src/test/java/org/springframework/security/web/server/header/StaticHttpHeadersWriterTests.java

@@ -0,0 +1,89 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class StaticHttpHeadersWriterTests {
+
+	StaticHttpHeadersWriter writer = StaticHttpHeadersWriter.builder()
+			.header(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS, ContentTypeOptionsHttpHeadersWriter.NOSNIFF)
+			.build();
+
+	ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
+
+	HttpHeaders headers = exchange.getResponse().getHeaders();
+
+	@Test
+	public void writeHeadersWhenSingleHeaderThenWritesHeader() {
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers.get(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS)).containsOnly(ContentTypeOptionsHttpHeadersWriter.NOSNIFF);
+	}
+
+	@Test
+	public void writeHeadersWhenSingleHeaderAndHeaderWrittenThenSuccess() {
+		String headerValue = "other";
+		headers.set(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS, headerValue);
+
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers.get(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS)).containsOnly(headerValue);
+	}
+
+	@Test
+	public void writeHeadersWhenMultiHeaderThenWritesAllHeaders() {
+		writer = StaticHttpHeadersWriter.builder()
+					.header(HttpHeaders.CACHE_CONTROL, CacheControlHttpHeadersWriter.CACHE_CONTRTOL_VALUE)
+					.header(HttpHeaders.PRAGMA,  CacheControlHttpHeadersWriter.PRAGMA_VALUE)
+					.header(HttpHeaders.EXPIRES,  CacheControlHttpHeadersWriter.EXPIRES_VALUE)
+					.build();
+
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers.get(HttpHeaders.CACHE_CONTROL)).containsOnly(CacheControlHttpHeadersWriter.CACHE_CONTRTOL_VALUE);
+		assertThat(headers.get(HttpHeaders.PRAGMA)).containsOnly(CacheControlHttpHeadersWriter.PRAGMA_VALUE);
+		assertThat(headers.get(HttpHeaders.EXPIRES)).containsOnly(CacheControlHttpHeadersWriter.EXPIRES_VALUE);
+	}
+
+	@Test
+	public void writeHeadersWhenMultiHeaderAndSingleWrittenThenNoHeadersOverridden() {
+		String headerValue = "other";
+		headers.set(HttpHeaders.CACHE_CONTROL, headerValue);
+
+		writer = StaticHttpHeadersWriter.builder()
+					.header(HttpHeaders.CACHE_CONTROL, CacheControlHttpHeadersWriter.CACHE_CONTRTOL_VALUE)
+					.header(HttpHeaders.PRAGMA,  CacheControlHttpHeadersWriter.PRAGMA_VALUE)
+					.header(HttpHeaders.EXPIRES,  CacheControlHttpHeadersWriter.EXPIRES_VALUE)
+					.build();
+
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(HttpHeaders.CACHE_CONTROL)).containsOnly(headerValue);
+	}
+}

webflux/src/test/java/org/springframework/security/web/server/header/StrictTransportSecurityHttpHeadersWriterTests.java

@@ -0,0 +1,97 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.time.Duration;
+import java.util.Arrays;
+
+import org.junit.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class StrictTransportSecurityHttpHeadersWriterTests {
+	StrictTransportSecurityHttpHeadersWriter hsts = new StrictTransportSecurityHttpHeadersWriter();
+
+	ServerWebExchange exchange;
+
+	@Test
+	public void writeHttpHeadersWhenHttpsThenWrites() {
+		exchange = MockServerHttpRequest.get("https://example.com/").toExchange();
+
+		hsts.writeHttpHeaders(exchange);
+
+		HttpHeaders headers = exchange.getResponse().getHeaders();
+		assertThat(headers).hasSize(1);
+		assertThat(headers).containsEntry(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
+				Arrays.asList("max-age=31536000 ; includeSubDomains"));
+	}
+
+	@Test
+	public void writeHttpHeadersWhenCustomMaxAgeThenWrites() {
+		Duration maxAge = Duration.ofDays(1);
+		hsts.setMaxAge(maxAge);
+		exchange = MockServerHttpRequest.get("https://example.com/").toExchange();
+
+		hsts.writeHttpHeaders(exchange);
+
+		HttpHeaders headers = exchange.getResponse().getHeaders();
+		assertThat(headers).hasSize(1);
+		assertThat(headers).containsEntry(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
+				Arrays.asList("max-age=" + maxAge.getSeconds() + " ; includeSubDomains"));
+	}
+
+	@Test
+	public void writeHttpHeadersWhenCustomIncludeSubDomainsThenWrites() {
+		hsts.setIncludeSubDomains(false);
+		exchange = MockServerHttpRequest.get("https://example.com/").toExchange();
+
+		hsts.writeHttpHeaders(exchange);
+
+		HttpHeaders headers = exchange.getResponse().getHeaders();
+		assertThat(headers).hasSize(1);
+		assertThat(headers).containsEntry(StrictTransportSecurityHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
+				Arrays.asList("max-age=31536000"));
+	}
+
+	@Test
+	public void writeHttpHeadersWhenNullSchemeThenNoHeaders() {
+		exchange = MockServerHttpRequest.get("/").toExchange();
+
+		hsts.writeHttpHeaders(exchange);
+
+		HttpHeaders headers = exchange.getResponse().getHeaders();
+		assertThat(headers).isEmpty();
+	}
+
+	@Test
+	public void writeHttpHeadersWhenHttpThenNoHeaders() {
+		exchange = MockServerHttpRequest.get("http://example.com/").toExchange();
+
+		hsts.writeHttpHeaders(exchange);
+
+		HttpHeaders headers = exchange.getResponse().getHeaders();
+		assertThat(headers).isEmpty();
+	}
+}

webflux/src/test/java/org/springframework/security/web/server/header/XContentTypeOptionsHttpHeadersWriterTests.java

@@ -0,0 +1,57 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class XContentTypeOptionsHttpHeadersWriterTests {
+
+	ContentTypeOptionsHttpHeadersWriter writer = new ContentTypeOptionsHttpHeadersWriter();
+
+	ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
+
+	HttpHeaders headers = exchange.getResponse().getHeaders();
+
+	@Test
+	public void writeHeadersWhenNoHeadersThenWriteHeaders() {
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS)).containsOnly(ContentTypeOptionsHttpHeadersWriter.NOSNIFF);
+	}
+
+	@Test
+	public void writeHeadersWhenHeaderWrittenThenDoesNotOverrride() {
+		String headerValue = "value";
+		headers.set(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS, headerValue);
+
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(ContentTypeOptionsHttpHeadersWriter.X_CONTENT_OPTIONS)).containsOnly(headerValue);
+	}
+}

webflux/src/test/java/org/springframework/security/web/server/header/XFrameOptionsHttpHeadersWriterTests.java

@@ -0,0 +1,86 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class XFrameOptionsHttpHeadersWriterTests {
+
+	ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
+
+	XFrameOptionsHttpHeadersWriter writer;
+
+	@Before
+	public void setup() {
+		writer = new XFrameOptionsHttpHeadersWriter();
+	}
+
+	@Test
+	public void writeHeadersWhenUsingDefaultsThenWritesDeny() {
+		writer.writeHttpHeaders(exchange);
+
+		HttpHeaders headers = exchange.getResponse().getHeaders();
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly("DENY");
+	}
+
+	@Test
+	public void writeHeadersWhenUsingExplicitDenyThenWritesDeny() {
+		writer.setMode(XFrameOptionsHttpHeadersWriter.Mode.DENY);
+
+		writer.writeHttpHeaders(exchange);
+
+		HttpHeaders headers = exchange.getResponse().getHeaders();
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly("DENY");
+	}
+
+	@Test
+	public void writeHeadersWhenUsingSameOriginThenWritesSameOrigin() {
+		writer.setMode(XFrameOptionsHttpHeadersWriter.Mode.SAMEORIGIN);
+
+		writer.writeHttpHeaders(exchange);
+
+		HttpHeaders headers = exchange.getResponse().getHeaders();
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly("SAMEORIGIN");
+	}
+
+	@Test
+	public void writeHeadersWhenAlreadyWrittenThenWritesHeader() {
+		String headerValue = "other";
+		exchange.getResponse().getHeaders().set(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS, headerValue);
+
+		writer.writeHttpHeaders(exchange);
+
+		HttpHeaders headers = exchange.getResponse().getHeaders();
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(XFrameOptionsHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly(headerValue);
+	}
+
+}

webflux/src/test/java/org/springframework/security/web/server/header/XXssProtectionHttpHeadersWriterTests.java

@@ -0,0 +1,77 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.header;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.Test;
+import org.springframework.http.HttpHeaders;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class XXssProtectionHttpHeadersWriterTests {
+	ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
+
+	HttpHeaders headers = exchange.getResponse().getHeaders();
+
+	XXssProtectionHttpHeadersWriter writer = new XXssProtectionHttpHeadersWriter();
+
+	@Test
+	public void writeHeadersWhenNoHeadersThenWriteHeaders() {
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("1 ; mode=block");
+	}
+
+	@Test
+	public void writeHeadersWhenBlockFalseThenWriteHeaders() {
+		writer.setBlock(false);
+
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("1");
+	}
+
+	@Test
+	public void writeHeadersWhenEnabledFalseThenWriteHeaders() {
+		writer.setEnabled(false);
+
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("0");
+	}
+
+	@Test
+	public void writeHeadersWhenHeaderWrittenThenDoesNotOverrride() {
+		String headerValue = "value";
+		headers.set(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION, headerValue);
+
+		writer.writeHttpHeaders(exchange);
+
+		assertThat(headers).hasSize(1);
+		assertThat(headers.get(XXssProtectionHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly(headerValue);
+	}
+
+}

webflux/src/test/java/org/springframework/security/web/server/util/matcher/AndServerWebExchangeMatcherTests.java

@@ -0,0 +1,116 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.util.matcher;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.web.server.ServerWebExchange;
+
+import java.util.Collections;
+import java.util.Map;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.*;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class AndServerWebExchangeMatcherTests {
+	@Mock
+	ServerWebExchange exchange;
+	@Mock
+	ServerWebExchangeMatcher matcher1;
+	@Mock
+	ServerWebExchangeMatcher matcher2;
+
+	AndServerWebExchangeMatcher matcher;
+
+	@Before
+	public void setUp() throws Exception {
+		matcher = new AndServerWebExchangeMatcher(matcher1, matcher2);
+	}
+
+	@Test
+	public void matchesWhenTrueTrueThenTrue() throws Exception {
+		Map<String, Object> params1 = Collections.singletonMap("foo", "bar");
+		Map<String, Object> params2 = Collections.singletonMap("x", "y");
+		when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.match(params1));
+		when(matcher2.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.match(params2));
+
+		ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
+
+		assertThat(matches.isMatch()).isTrue();
+		assertThat(matches.getVariables()).hasSize(2);
+		assertThat(matches.getVariables()).containsAllEntriesOf(params1);
+		assertThat(matches.getVariables()).containsAllEntriesOf(params2);
+
+		verify(matcher1).matches(exchange);
+		verify(matcher2).matches(exchange);
+	}
+
+	@Test
+	public void matchesWhenFalseFalseThenFalseAndMatcher2NotInvoked() throws Exception {
+		when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
+
+		ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
+
+		assertThat(matches.isMatch()).isFalse();
+		assertThat(matches.getVariables()).isEmpty();
+
+		verify(matcher1).matches(exchange);
+		verify(matcher2, never()).matches(exchange);
+	}
+
+	@Test
+	public void matchesWhenTrueFalseThenFalse() throws Exception {
+		Map<String, Object> params = Collections.singletonMap("foo", "bar");
+		when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.match(params));
+		when(matcher2.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
+
+		ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
+
+		assertThat(matches.isMatch()).isFalse();
+		assertThat(matches.getVariables()).isEmpty();
+
+		verify(matcher1).matches(exchange);
+		verify(matcher2).matches(exchange);
+	}
+
+	@Test
+	public void matchesWhenFalseTrueThenFalse() throws Exception {
+		when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
+
+		ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
+
+		assertThat(matches.isMatch()).isFalse();
+		assertThat(matches.getVariables()).isEmpty();
+
+		verify(matcher1).matches(exchange);
+		verify(matcher2, never()).matches(exchange);
+	}
+
+}

webflux/src/test/java/org/springframework/security/web/server/util/matcher/OrServerWebExchangeMatcherTests.java

@@ -0,0 +1,99 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.util.matcher;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.web.server.ServerWebExchange;
+
+import java.util.Collections;
+import java.util.Map;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class OrServerWebExchangeMatcherTests {
+	@Mock
+	ServerWebExchange exchange;
+	@Mock
+	ServerWebExchangeMatcher matcher1;
+	@Mock
+	ServerWebExchangeMatcher matcher2;
+
+	OrServerWebExchangeMatcher matcher;
+
+	@Before
+	public void setUp() throws Exception {
+		matcher = new OrServerWebExchangeMatcher(matcher1, matcher2);
+	}
+
+	@Test
+	public void matchesWhenFalseFalseThenFalse() throws Exception {
+		when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
+		when(matcher2.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
+
+		ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
+
+		assertThat(matches.isMatch()).isFalse();
+		assertThat(matches.getVariables()).isEmpty();
+
+		verify(matcher1).matches(exchange);
+		verify(matcher2).matches(exchange);
+	}
+
+	@Test
+	public void matchesWhenTrueFalseThenTrueAndMatcher2NotInvoked() throws Exception {
+		Map<String, Object> params = Collections.singletonMap("foo", "bar");
+		when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.match(params));
+
+		ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
+
+		assertThat(matches.isMatch()).isTrue();
+		assertThat(matches.getVariables()).isEqualTo(params);
+
+		verify(matcher1).matches(exchange);
+		verify(matcher2, never()).matches(exchange);
+	}
+
+	@Test
+	public void matchesWhenFalseTrueThenTrue() throws Exception {
+		Map<String, Object> params = Collections.singletonMap("foo", "bar");
+		when(matcher1.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.notMatch());
+		when(matcher2.matches(exchange)).thenReturn(ServerWebExchangeMatcher.MatchResult.match(params));
+
+		ServerWebExchangeMatcher.MatchResult matches = matcher.matches(exchange);
+
+		assertThat(matches.isMatch()).isTrue();
+		assertThat(matches.getVariables()).isEqualTo(params);
+
+		verify(matcher1).matches(exchange);
+		verify(matcher2).matches(exchange);
+	}
+}

webflux/src/test/java/org/springframework/security/web/server/util/matcher/PathMatcherServerWebExchangeMatcherTests.java

@@ -0,0 +1,115 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+package org.springframework.security.web.server.util.matcher;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.when;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.runners.MockitoJUnitRunner;
+import org.springframework.http.HttpMethod;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.mock.http.server.reactive.MockServerHttpResponse;
+import org.springframework.mock.http.server.reactive.MockServerWebExchange;
+import org.springframework.util.PathMatcher;
+import org.springframework.web.server.adapter.DefaultServerWebExchange;
+import org.springframework.web.server.session.DefaultWebSessionManager;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+@RunWith(MockitoJUnitRunner.class)
+public class PathMatcherServerWebExchangeMatcherTests {
+	@Mock
+	PathMatcher pathMatcher;
+	MockServerWebExchange exchange;
+	PathMatcherServerWebExchangeMatcher matcher;
+	String pattern;
+	String path;
+
+	@Before
+	public void setup() {
+		MockServerHttpRequest request = MockServerHttpRequest.post("/path").build();
+		MockServerHttpResponse response = new MockServerHttpResponse();
+		DefaultWebSessionManager sessionManager = new DefaultWebSessionManager();
+		exchange = request.toExchange();
+		pattern = "/pattern";
+		path = "/path";
+
+		matcher = new PathMatcherServerWebExchangeMatcher(pattern);
+		matcher.setPathMatcher(pathMatcher);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void constructorPatternWhenPatternNullThenThrowsException() {
+		new PathMatcherServerWebExchangeMatcher(null);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void constructorPatternAndMethodWhenPatternNullThenThrowsException() {
+		new PathMatcherServerWebExchangeMatcher(null, HttpMethod.GET);
+	}
+
+	@Test
+	public void matchesWhenPathMatcherTrueThenReturnTrue() {
+		when(pathMatcher.match(pattern, path)).thenReturn(true);
+
+		assertThat(matcher.matches(exchange).isMatch()).isTrue();
+	}
+
+	@Test
+	public void matchesWhenPathMatcherFalseThenReturnFalse() {
+		when(pathMatcher.match(pattern, path)).thenReturn(false);
+
+		assertThat(matcher.matches(exchange).isMatch()).isFalse();
+
+		verify(pathMatcher).match(pattern, path);
+	}
+
+	@Test
+	public void matchesWhenPathMatcherTrueAndMethodTrueThenReturnTrue() {
+		matcher = new PathMatcherServerWebExchangeMatcher(pattern, exchange.getRequest().getMethod());
+		matcher.setPathMatcher(pathMatcher);
+		when(pathMatcher.match(pattern, path)).thenReturn(true);
+
+		assertThat(matcher.matches(exchange).isMatch()).isTrue();
+	}
+
+	@Test
+	public void matchesWhenPathMatcherTrueAndMethodFalseThenReturnFalse() {
+		HttpMethod method = HttpMethod.OPTIONS;
+		assertThat(exchange.getRequest().getMethod()).isNotEqualTo(method);
+		matcher = new PathMatcherServerWebExchangeMatcher(pattern, method);
+		matcher.setPathMatcher(pathMatcher);
+
+		assertThat(matcher.matches(exchange).isMatch()).isFalse();
+
+		verifyZeroInteractions(pathMatcher);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void setPathMatcherWhenNullThenThrowException() {
+		matcher.setPathMatcher(null);
+	}
+}

webflux/src/test/java/org/springframework/security/web/server/util/matcher/ServerWebExchangeMatchersTests.java

@@ -0,0 +1,86 @@
+/*
+ *
+ *  * Copyright 2002-2017 the original author or authors.
+ *  *
+ *  * Licensed under the Apache License, Version 2.0 (the "License");
+ *  * you may not use this file except in compliance with the License.
+ *  * You may obtain a copy of the License at
+ *  *
+ *  *      http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  * Unless required by applicable law or agreed to in writing, software
+ *  * distributed under the License is distributed on an "AS IS" BASIS,
+ *  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  * See the License for the specific language governing permissions and
+ *  * limitations under the License.
+ *
+ */
+
+package org.springframework.security.web.server.util.matcher;
+
+import org.junit.Test;
+import org.springframework.http.HttpMethod;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.web.server.ServerWebExchange;
+
+import static org.assertj.core.api.Assertions.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.antMatchers;
+import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.anyExchange;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class ServerWebExchangeMatchersTests {
+	ServerWebExchange exchange = MockServerHttpRequest.get("/").toExchange();
+
+	@Test
+	public void antMatchersWhenSingleAndSamePatternThenMatches() throws Exception {
+		assertThat(antMatchers("/").matches(exchange).isMatch()).isTrue();
+	}
+
+	@Test
+	public void antMatchersWhenSingleAndSamePatternAndMethodThenMatches() throws Exception {
+		assertThat(antMatchers(HttpMethod.GET, "/").matches(exchange).isMatch()).isTrue();
+	}
+
+	@Test
+	public void antMatchersWhenSingleAndSamePatternAndDiffMethodThenDoesNotMatch() throws Exception {
+		assertThat(antMatchers(HttpMethod.POST, "/").matches(exchange).isMatch()).isFalse();
+	}
+
+	@Test
+	public void antMatchersWhenSingleAndDifferentPatternThenDoesNotMatch() throws Exception {
+		assertThat(antMatchers("/foobar").matches(exchange).isMatch()).isFalse();
+	}
+
+	@Test
+	public void antMatchersWhenMultiThenMatches() throws Exception {
+		assertThat(antMatchers("/foobar", "/").matches(exchange).isMatch()).isTrue();
+	}
+
+	@Test
+	public void anyExchangeWhenMockThenMatches() {
+		ServerWebExchange mockExchange = mock(ServerWebExchange.class);
+
+		assertThat(anyExchange().matches(mockExchange).isMatch()).isTrue();
+
+		verifyZeroInteractions(mockExchange);
+	}
+
+	/**
+	 * If a LinkedMap is used and anyRequest equals anyRequest then the following is added:
+	 * anyRequest() -> authenticated()
+	 * antMatchers("/admin/**") -> hasRole("ADMIN")
+	 * anyRequest() -> permitAll
+	 *
+	 * will result in the first entry being overridden
+	 */
+	@Test
+	public void anyExchangeWhenTwoCreatedThenDifferentToPreventIssuesInMap() {
+		assertThat(anyExchange()).isNotEqualTo(anyExchange());
+	}
+}