001/* 002 * Copyright 2012-2018 the original author or authors. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package org.springframework.boot.actuate.autoconfigure.security.reactive; 018 019import org.springframework.boot.actuate.autoconfigure.endpoint.web.WebEndpointAutoConfiguration; 020import org.springframework.boot.actuate.autoconfigure.health.HealthEndpointAutoConfiguration; 021import org.springframework.boot.actuate.autoconfigure.info.InfoEndpointAutoConfiguration; 022import org.springframework.boot.actuate.health.HealthEndpoint; 023import org.springframework.boot.actuate.info.InfoEndpoint; 024import org.springframework.boot.autoconfigure.AutoConfigureAfter; 025import org.springframework.boot.autoconfigure.AutoConfigureBefore; 026import org.springframework.boot.autoconfigure.EnableAutoConfiguration; 027import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; 028import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; 029import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication; 030import org.springframework.boot.autoconfigure.security.oauth2.client.reactive.ReactiveOAuth2ClientAutoConfiguration; 031import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration; 032import org.springframework.context.annotation.Bean; 033import org.springframework.context.annotation.Configuration; 034import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; 035import org.springframework.security.config.web.server.ServerHttpSecurity; 036import org.springframework.security.web.server.SecurityWebFilterChain; 037import org.springframework.security.web.server.WebFilterChainProxy; 038 039/** 040 * {@link EnableAutoConfiguration Auto-configuration} for Reactive Spring Security when 041 * actuator is on the classpath. Specifically, it permits access to the health and info 042 * endpoints while securing everything else. 043 * 044 * @author Madhura Bhave 045 * @since 2.1.0 046 */ 047@Configuration 048@ConditionalOnClass({ EnableWebFluxSecurity.class, WebFilterChainProxy.class }) 049@ConditionalOnMissingBean({ SecurityWebFilterChain.class, WebFilterChainProxy.class }) 050@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE) 051@AutoConfigureBefore(ReactiveSecurityAutoConfiguration.class) 052@AutoConfigureAfter({ HealthEndpointAutoConfiguration.class, 053 InfoEndpointAutoConfiguration.class, WebEndpointAutoConfiguration.class, 054 ReactiveOAuth2ClientAutoConfiguration.class }) 055public class ReactiveManagementWebSecurityAutoConfiguration { 056 057 @Bean 058 public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { 059 return http.authorizeExchange() 060 .matchers(EndpointRequest.to(HealthEndpoint.class, InfoEndpoint.class)) 061 .permitAll().anyExchange().authenticated().and().httpBasic().and() 062 .formLogin().and().build(); 063 } 064 065}