In the Spring Security configuration, we tweak the springSecurityFilterChain bean, as shown in the following code snippet:
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http){
AuthenticationWebFilter authenticationJWT = new AuthenticationWebFilter(new
UserDetailsRepositoryReactiveAuthenticationManager(userDetailsRepository()));
authenticationJWT.setAuthenticationSuccessHandler(new
JWTAuthSuccessHandler());
http.csrf().disable();
http
.authorizeExchange()
.pathMatchers(WHITELISTED_AUTH_URLS)
.permitAll()
.and()
.addFilterAt(authenticationJWT, SecurityWebFiltersOrder.FIRST)
.authorizeExchange()
.pathMatchers(HttpMethod.GET, "/api/movie/**").hasRole("USER")
.pathMatchers(HttpMethod.POST, "/api/movie/**").hasRole("ADMIN")
.anyExchange().authenticated()
.and()
.addFilterAt(new JWTAuthWebFilter(), SecurityWebFiltersOrder.HTTP_BASIC);
return http.build();
}
As you can see, we have a new AuthenticationWebFilter and a AuthenticationSuccessHandler configured. We also have a new JWTAuthWebFilter class for handling the JWT-based authentication configured.
We will be using ReactiveUserDetailsService with hardcoded user credentials for testing, as shown in the following code snippet:
@Bean
public MapReactiveUserDetailsService userDetailsRepository() {
UserDetails user = User.withUsername("user").password("
{noop}password").roles("USER").build();
UserDetails admin = User.withUsername("admin").password("
{noop}password").roles("USER","ADMIN").build();
return new MapReactiveUserDetailsService(user, admin);
}