Security with Spring Security and Spring Webflux
Last Updated :
07 Jun, 2024
Spring WebFlux is a part of the Spring Framework that supports reactive programming, enabling non-blocking asynchronous request handling. When developing web applications with Spring WebFlux, securing the application is a crucial aspect to ensure unauthorized access is prevented. This article provides a comprehensive example of integrating Spring Security with Spring WebFlux to secure web applications.
Spring Security provides a robust framework for securing Java applications, including support for authentication and authorization. Integrating Spring Security with Spring WebFlux involves configuring security filters, defining user roles, and setting up authentication mechanisms such as form login and basic authentication.
Implementation of Security with Spring Security and Spring WebFlux
Below are the implementation steps to secure the Spring WebFlux application with Spring Security.
Step 1: Create the Spring Project
Create a new Spring Boot project using Spring Initializr and add required dependencies,
- Spring Reactive Web
- Spring Security
- Lombok
- Spring DevTools
After the project creation done, the folder structure will be like below:.
Step 2: Configure the Application properties
Open the application.properties file and add the configuration for the application name and server port.
spring.application.name=spring-webflux-security
server.port=8080
Step 3: Create the Security Configuration class.
Now, we will create the SecurityConfig class to configure Spring Security. Go src > org.example.springwebfluxsecurity > SecurityConfig and put the below code.
Java
package org.example.springwebfluxsecurity;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.server.SecurityWebFilterChain;
@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.pathMatchers("/public/**").permitAll()
.anyExchange().authenticated()
.and()
.httpBasic()
.and()
.formLogin();
return http.build();
}
@Bean
public MapReactiveUserDetailsService userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new MapReactiveUserDetailsService(user);
}
}
Step 4: Create the Controller class.
We will create one controller class named HomeController, that will create the secure REST API. Go src > org.example.springwebfluxsecurity > HomeController and add the below code.
Java
package org.example.springwebfluxsecurity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import reactor.core.publisher.Mono;
@RestController
public class HelloController {
@GetMapping("/public/hello")
public Mono<String> publicHello() {
return Mono.just("Hello, this is a public endpoint!");
}
@GetMapping("/private/hello")
public Mono<String> privateHello() {
return Mono.just("Hello, this is a private endpoint!");
}
}
Step 5: Main Class(No Changes are required)
Go src > org.example.springwebfluxsecurity > SpringWebFluxSecurityApplication and see the below code.
Java
package org.example.springwebfluxsecurity;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
public class SpringWebfluxSecurityApplication {
public static void main(String[] args) {
SpringApplication.run(SpringWebfluxSecurityApplication.class, args);
}
}
Step 6: Run the Application
Now, we will run our application and it will start at port 8080.
Step 7: Testing the Application
Public Endpoint:
http://localhost:8080/public/hello
Output:
Private Endpoint:
http://localhost:8080/private/hello
Output:
Once we enter the user credentials of the application then it redirects to the private endpoint.
Similar Reads
Securing a Spring MVC Application with Spring Security
Securing web applications is crucial in today's world, where security threats are prevalent. Spring Security is a powerful, customizable authentication and access-control framework that is part of the larger Spring ecosystem. It helps secure Spring MVC applications by managing authentication, author
6 min read
Spring Cloud Gateway with Spring WebFlux
Spring Cloud Gateway is the library that allows you to build API gateways on top of Spring WebFlux. It provides a simple and effective way to route requests, apply filters, and manage cross-cutting concerns reactively. This article will guide you through demonstrating how to set up Spring Cloud Gate
5 min read
Testing Spring Security Auth with JUnit
Here we are going to learn how to use InMemoryDaoImpl to verify Spring security authentication using a JUnit test case and how to programmatically create a fully complete authentication object and then utilize it in an application. SecurityContextHolder: Spring security is built on the concept of a
4 min read
Spring Security Integration with Spring Boot
Spring Security is a powerful and customizable authentication and access control framework for Java applications. It provides comprehensive security services for Java EE-based enterprise software applications. This article will integrate Spring Security with a Spring Boot application, covering confi
5 min read
Control the Session with Spring Security
Spring Security is a scalable authentication control system, the de facto standard for protecting Spring-based applications. One of the main features is its consistency management capability which is important for the state between HTTP client and HTTP server. Proper session management is essential
4 min read
Securing REST APIs with Spring Security
In Spring Boot applications, securing the REST APIs is a critical aspect of developing secure and robust applications. REST APIs are commonly used to expose functionalities to external systems, mobile applications, and web applications. Without proper security measures, these APIs can become targets
8 min read
Spring WebFlux REST Application Integration with Spring Data R2DBC
Spring WebFlux is the framework from the Spring ecosystem that supports reactive programming for building asynchronous and non-blocking web applications. Unlike the traditional Spring MVC, which can use the blocking I/O. WebFlux can be designed to handle large volumes of requests using fewer resourc
4 min read
How to Integrate Keycloak with Spring Boot and Spring Security?
Keycloak is Open Source Identity and Access Management (IAM) solution developed by Red Hat. By using this you can add authentication to applications and secure services with minimum effort. No need to deal with storing users or authenticating users. Keycloak provides user federation, strong authenti
2 min read
Difference Between Spring MVC and Spring WebFlux
Spring MVCSpring MVC Framework takes on the Model-View-Controller design pattern, which moves around the Dispatcher Servlet, also called the Front Controller. With the help of annotations like @Controller and @RequestMapping, the by-default handler becomes a robust(strong) tool with a diverse set of
5 min read
Securing Spring Boot API With API Key and Secret
In Web applications, securing the APIs is critical. One of the common methods of securing the APIs is by using API keys and secrets. This ensures that only the authorized clients can access the API endpoints. This article can guide you through the process of securing the Spring Boot API using the AP
6 min read