Similar to authentication, the core concepts, in regard to authorization remains similar to what we have seen earlier in Spring MVC. However, the classes performing the operation have changed, and are, reactive and non-blocking. The following diagram shows the authorization-related main classes and their interactions in a Spring WebFlux application:

As we all know by now, Spring WebFlux security works on WebFilter, and AuthorizationWebFilter intercepts the request and uses ReactiveAuthorizationManager to check whether the Authentication object has access to a protected resource. ReactiveAuthorizationManager has two methods, namely, check (checks whether access is granted to an Authentication object) and verify (checks whether access has to be granted for an Authentication object). In the event of any exception, ExceptionTranslationWebFilter takes care of handling this by following the appropriate paths.