With the core Spring WebFlux concepts covered, we will now get into the crux of this chapter; introducing you to Spring Security for Spring WebFlux based reactive web applications.

As seen earlier, Spring Security in Spring MVC web applications is based on ServletFilter, and for Spring WebFlux, it is based on WebFilter:

We saw Spring Security in detail in Spring MVC web applications in previous chapters. We will now look at the inner details of Spring Security authentication for a Spring WebFlux based web application. The following diagram shows the interaction of various classes when an authentication process kicks in for a WebFlux application:

The preceding diagram is quite self-explanatory, and is very similar to what you saw earlier for Spring MVC. The core difference is that ServletFilter is now replaced with WebFilter, and we have reactive-based classes for other blocking classes in Spring MVC. However, the core concepts of Spring Security remain intact with WebFilter dealing with many aspects in the initial authentication process; the core authentication is handled by ReactiveAuthenticationManager and related classes.