Предполагая, что вы помещаете этот bean-компонент в класс, помеченный @Configuration
и @EnableWebFluxSecurity
, ваша проблема кажется, что вы не отключили csrf
, который настроен по умолчанию Spring Security.
Вы можете сделать это со следующим:
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
return http
.authorizeExchange().pathMatchers("/**").authenticated()
.and()
.httpBasic().disable()
.csrf().disable() // Disable csrf
.securityContextRepository(webSessionServerSecurityContextRepository())
.addFilterAfter(new AuthenticationWebFilter(bearerTokenAuthenticationManager()),
SecurityWebFiltersOrder.REACTOR_CONTEXT)
.build();
}
Кроме того, вы должны правильно настроить AuthenticationWebFilter
.
AuthenticationWebFilter
имеет следующие зависимости:
...most of them are provided by default as HttpBasic deps (copy and pasted from Spring Security source code):
private final ReactiveAuthenticationManagerResolver authenticationManagerResolver;
private ServerAuthenticationSuccessHandler authenticationSuccessHandler = new WebFilterChainServerAuthenticationSuccessHandler();
private ServerAuthenticationConverter authenticationConverter = new ServerHttpBasicAuthenticationConverter();
private ServerAuthenticationFailureHandler authenticationFailureHandler = new ServerAuthenticationEntryPointFailureHandler(new HttpBasicServerAuthenticationEntryPoint());
private ServerSecurityContextRepository securityContextRepository = NoOpServerSecurityContextRepository.getInstance(); // Stateless session
private ServerWebExchangeMatcher requiresAuthenticationMatcher = ServerWebExchangeMatchers.anyExchange();
You could set whatever you want with the setters method of AuthenticationWebFilter
. An AuthenticationWebFilter
has the following logic:
So depending of the case you have to configure one dependency or another. You could see a complete example of how Authentication and Authorization works in my repo: https://github.com/soasada/kotlin-coroutines-webflux-security (входит в kotlin но для корпуса то же самое)