Configuring Web Security in Spring Web and Spring WebFlux with Spring Boot 3.x and Java 17
Team is proactively working on spring boot 3.x upgrade and java 17. this post guide you how to migrate those Web Security Config in both Spring Web and Spring WebFlux.
Securing web applications is a critical aspect of modern software development. In Spring applications, configuring web security is made easy with the powerful Spring Security framework. With the release of Spring Boot 3.x and Java 17, developers can leverage the latest features and improvements for building secure web applications. This guide will demonstrate how to configure web security in both Spring Web and Spring WebFlux applications using Spring Security with Spring Boot 3.x and Java 17.
Configuring Web Security in Spring Web
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import static org.springframework.security.config.Customizer.withDefaults;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.sessionManagement(s -> s.sessionFixation().newSession())
.httpBasic(AbstractHttpConfigurer::disable)
.cors(AbstractHttpConfigurer::disable)
.csrf(AbstractHttpConfigurer::disable)
.logout(AbstractHttpConfigurer::disable)
.formLogin(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(requests -> requests.requestMatchers(
new AntPathRequestMatcher("/paths/public/access", "GET")
).permitAll().anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults())).build();
}
}Configuring Web Security in Spring WebFlux
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import static org.springframework.http.HttpMethod.GET;
import static org.springframework.security.config.Customizer.withDefaults;
@Configuration
@EnableWebFluxSecurity
public class WebSecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http
.httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)
.cors(ServerHttpSecurity.CorsSpec::disable)
.csrf(ServerHttpSecurity.CsrfSpec::disable)
.logout(ServerHttpSecurity.LogoutSpec::disable)
.formLogin(ServerHttpSecurity.FormLoginSpec::disable)
.authorizeExchange((authorize) -> authorize
.pathMatchers(GET,
"/paths/public/access")
.permitAll()
.anyExchange().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()))
.build();
}
}- Define Security Rules: Define security rules using the ServerHttpSecurity object, similar to configuring rules for Spring Web applications. Specify URL patterns, access permissions, and authentication mechanisms accordingly.
Oauth 2 Resource Server with JWT
spring:
security:
oauth2:
resourceserver:
jwt:
public-key-location: """
issuer-uri: ""
Conclusion
Configuring web security in Spring Web and Spring WebFlux applications with Spring Boot 3.x and Java 17 is straightforward with Spring Security. By following the guidelines outlined in this guide, you can effectively secure your web applications against unauthorized access and protect sensitive resources. Whether you're building traditional servlet-based applications or reactive applications, Spring Security provides the necessary tools and flexibility to meet your security requirements.