authorize-http-requests.adoc 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. [[servlet-authorization-authorizationfilter]]
  2. = Authorize ServerHttpRequest
  3. Spring Security provides support for authorizing the incoming HTTP requests.
  4. By default, Spring Security’s authorization will require all requests to be authenticated.
  5. The explicit configuration looks like:
  6. .All Requests Require Authenticated User
  7. [tabs]
  8. ======
  9. Java::
  10. +
  11. [source,java,role="primary"]
  12. ----
  13. @Bean
  14. SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
  15. http
  16. .authorizeExchange((exchanges) -> exchanges
  17. .anyExchange().authenticated()
  18. )
  19. .httpBasic(withDefaults())
  20. .formLogin(withDefaults());
  21. return http.build();
  22. }
  23. ----
  24. Kotlin::
  25. +
  26. [source,kotlin,role="secondary"]
  27. ----
  28. @Bean
  29. fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
  30. return http {
  31. authorizeExchange {
  32. authorize(anyExchange, authenticated)
  33. }
  34. formLogin { }
  35. httpBasic { }
  36. }
  37. }
  38. ----
  39. ======
  40. We can configure Spring Security to have different rules by adding more rules in order of precedence.
  41. .Multiple Authorize Requests Rules
  42. [tabs]
  43. ======
  44. Java::
  45. +
  46. [source,java,role="primary"]
  47. ----
  48. import static org.springframework.security.authorization.AuthorityReactiveAuthorizationManager.hasRole;
  49. // ...
  50. @Bean
  51. SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
  52. // @formatter:off
  53. http
  54. // ...
  55. .authorizeExchange((authorize) -> authorize // <1>
  56. .pathMatchers("/resources/**", "/signup", "/about").permitAll() // <2>
  57. .pathMatchers("/admin/**").hasRole("ADMIN") // <3>
  58. .pathMatchers("/db/**").access((authentication, context) -> // <4>
  59. hasRole("ADMIN").check(authentication, context)
  60. .filter(decision -> !decision.isGranted())
  61. .switchIfEmpty(hasRole("DBA").check(authentication, context))
  62. )
  63. .anyExchange().denyAll() // <5>
  64. );
  65. // @formatter:on
  66. return http.build();
  67. }
  68. ----
  69. Kotlin::
  70. +
  71. [source,kotlin,role="secondary"]
  72. ----
  73. @Bean
  74. fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
  75. return http {
  76. authorizeExchange { // <1>
  77. authorize(pathMatchers("/resources/**", "/signup", "/about"), permitAll) // <2>
  78. authorize("/admin/**", hasRole("ADMIN")) // <3>
  79. authorize("/db/**", { authentication, context -> // <4>
  80. hasRole("ADMIN").check(authentication, context)
  81. .filter({ decision -> !decision.isGranted() })
  82. .switchIfEmpty(hasRole("DBA").check(authentication, context))
  83. })
  84. authorize(anyExchange, denyAll) // <5>
  85. }
  86. // ...
  87. }
  88. }
  89. ----
  90. ======
  91. <1> There are multiple authorization rules specified.
  92. Each rule is considered in the order they were declared.
  93. <2> We specified multiple URL patterns that any user can access.
  94. Specifically, any user can access a request if the URL starts with "/resources/", equals "/signup", or equals "/about".
  95. <3> Any URL that starts with "/admin/" will be restricted to users who have the authority "ROLE_ADMIN".
  96. You will notice that since we are invoking the `hasRole` method we do not need to specify the "ROLE_" prefix.
  97. <4> Any URL that starts with "/db/" requires the user to have both "ROLE_ADMIN" and "ROLE_DBA".
  98. This demonstrates the flexibility of providing a custom `ReactiveAuthorizationManager` allowing us to implement arbitrary authorization logic.
  99. For simplicity, the sample uses a lambda and delegate to the existing `AuthorityReactiveAuthorizationManager.hasRole` implementation.
  100. However, in a real world situation applications would likely implement the logic in a proper class implementing `ReactiveAuthorizationManager`.
  101. <5> Any URL that has not already been matched on is denied access.
  102. This is a good strategy if you do not want to accidentally forget to update your authorization rules.