Add Multiple Filter Chains Docs

Closes gh-9178
5 years ago · 69336fb3ec
1 changed files with 56 additions and 1 deletions
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc
@ -125,5 +125,60 @@ class HelloWebfluxSecurityConfig {
				@@ -125,5 +125,60 @@ class HelloWebfluxSecurityConfig {
 This configuration explicitly sets up all the same things as our minimal configuration.
 From here you can easily make the changes to the defaults.

-You can find more examples of explicit configuration in unit tests, by searching https://github.com/spring-projects/spring-security/search?q=path%3Aconfig%2Fsrc%2Ftest%2F+EnableWebFluxSecurity[EnableWebFluxSecurity in the `config/src/test/` directory], e.g. https://github.com/spring-projects/spring-security/blob/9cf3129d7afa2abb439aba6aadfee0a2c8c784bf/config/src/test/java/org/springframework/security/config/annotation/web/reactive/EnableWebFluxSecurityTests.java#L349-L366[MultiSecurityHttpConfig] illustrating multiple `SecurityWebFilterChain` beans.
+You can find more examples of explicit configuration in unit tests, by searching https://github.com/spring-projects/spring-security/search?q=path%3Aconfig%2Fsrc%2Ftest%2F+EnableWebFluxSecurity[EnableWebFluxSecurity in the `config/src/test/` directory].
+
+[[jc-webflux-multiple-filter-chains]]
+=== Multiple chains support
+
+We can configure multiple `SecurityWebFilterChain` instances.
+
+For example, the following is an example of having a specific configuration for URL's that start with `/api/`. This overrides the form login configuration with lower precedence.
+
+[source,java]
+----
+	@EnableWebFluxSecurity
+	@Import(ReactiveAuthenticationTestConfiguration.class)
+	static class MultiSecurityHttpConfig {
+
+		@Order(Ordered.HIGHEST_PRECEDENCE)                                                      <1>
+		@Bean
+		SecurityWebFilterChain apiHttpSecurity(ServerHttpSecurity http) {
+			http
+                    .securityMatcher(new PathPatternParserServerWebExchangeMatcher("/api/**"))  <2>
+                    .authorizeExchange()
+					    .anyExchange().denyAll();
+			return http.build();
+		}
+
+		@Bean
+    	SecurityWebFilterChain webFormHttpSecurity(ServerHttpSecurity http) {                   <3>
+            http
+                .authorizeExchange((exchanges) ->
+                    exchanges
+                        .pathMatchers("/login").permitAll()
+                        .anyExchange().authenticated()
+                )
+                .httpBasic(withDefaults())
+                .formLogin((formLogin) ->                                                       <4>
+                    formLogin
+                        .loginPage("/login")
+                );
+		    return http.build();
+	    }
+
+        @Bean
+    	public static ReactiveUserDetailsService userDetailsService() {
+    		return new MapReactiveUserDetailsService(PasswordEncodedUser.user(), PasswordEncodedUser.admin());
+    	}
+
+	}
+
+----
+
+<1> Configure a SecurityWebFilterChain with an `@Order` to specify which `SecurityWebFilterChain` should be considered first
+<2> The `PathPatternParserServerWebExchangeMatcher` states that this `SecurityWebFilterChain` will only be applicable to URLs that start with `/api/`
+<3> Create another instance of `SecurityWebFilterChain` with lower precedence.
+<4> Some configurations applies to all path matchers within the `webFormHttpSecurity` but not to `apiHttpSecurity` `SecurityWebFilterChain`.
+
+If the URL does not start with `/api/` the `webFormHttpSecurity` configuration will be used.