Support nested builder in DSL for reactive apps

Fixes: gh-7107
7 years ago · a288ce4b00
27 changed files with 1991 additions and 205 deletions
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@ -32,6 +32,7 @@ import java.util.UUID;
 import java.util.function.Function;
 import java.util.function.Supplier;
 import org.springframework.security.config.Customizer;
 import reactor.core.publisher.Mono;
 import reactor.util.context.Context;
@ -394,6 +395,48 @@ public class ServerHttpSecurity {
 		return this.httpsRedirectSpec;
 	}
 	/**
 	 * Configures HTTPS redirection rules. If the default is used:
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 * 	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 	 * 	    http
 	 * 	        // ...
 	 * 	        .redirectToHttps(withDefaults());
 	 * 	    return http.build();
 	 * 	}
 	 * </pre>
 	 *
 	 * Then all non-HTTPS requests will be redirected to HTTPS.
 	 *
 	 * Typically, all requests should be HTTPS; however, the focus for redirection can also be narrowed:
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 * 	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 * 	    http
 	 * 	        // ...
 	 * 	        .redirectToHttps(redirectToHttps ->
 	 * 	        	redirectToHttps
 	 * 	            	.httpsRedirectWhen(serverWebExchange ->
 	 * 	            		serverWebExchange.getRequest().getHeaders().containsKey("X-Requires-Https"))
 	 * 	            );
 	 * 	    return http.build();
 	 * 	}
 	 * </pre>
 	 *
 	 * @param httpsRedirectCustomizer the {@link Customizer} to provide more options for
 	 * the {@link HttpsRedirectSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity redirectToHttps(Customizer<HttpsRedirectSpec> httpsRedirectCustomizer) throws Exception {
 		this.httpsRedirectSpec = new HttpsRedirectSpec();
 		httpsRedirectCustomizer.customize(this.httpsRedirectSpec);
 		return this;
 	}
 	/**
 	 * Configures <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet">CSRF Protection</a>
 	 * which is enabled by default. You can disable it using:
@ -436,6 +479,56 @@ public class ServerHttpSecurity {
 		return this.csrf;
 	}
 	/**
 	 * Configures <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet">CSRF Protection</a>
 	 * which is enabled by default. You can disable it using:
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .csrf(csrf ->
 	 *              csrf.disabled()
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * Additional configuration options can be seen below:
 	 *
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .csrf(csrf ->
 	 *              csrf
 	 *                  // Handle CSRF failures
 	 *                  .accessDeniedHandler(accessDeniedHandler)
 	 *                  // Custom persistence of CSRF Token
 	 *                  .csrfTokenRepository(csrfTokenRepository)
 	 *                  // custom matching when CSRF protection is enabled
 	 *                  .requireCsrfProtectionMatcher(matcher)
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param csrfCustomizer the {@link Customizer} to provide more options for
 	 * the {@link CsrfSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity csrf(Customizer<CsrfSpec> csrfCustomizer) throws Exception {
 		if (this.csrf == null) {
 			this.csrf = new CsrfSpec();
 		}
 		csrfCustomizer.customize(this.csrf);
 		return this;
 	}
 	/**
 	 * Configures CORS headers. By default if a {@link CorsConfigurationSource} Bean is found, it will be used
 	 * to create a {@link CorsWebFilter}. If {@link CorsSpec#configurationSource(CorsConfigurationSource)} is invoked
@ -449,6 +542,24 @@ public class ServerHttpSecurity {
 		return this.cors;
 	}
 	/**
 	 * Configures CORS headers. By default if a {@link CorsConfigurationSource} Bean is found, it will be used
 	 * to create a {@link CorsWebFilter}. If {@link CorsSpec#configurationSource(CorsConfigurationSource)} is invoked
 	 * it will be used instead. If neither has been configured, the Cors configuration will do nothing.
 	 *
 	 * @param corsCustomizer the {@link Customizer} to provide more options for
 	 * the {@link CorsSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity cors(Customizer<CorsSpec> corsCustomizer) throws Exception {
 		if (this.cors == null) {
 			this.cors = new CorsSpec();
 		}
 		corsCustomizer.customize(this.cors);
 		return this;
 	}
 	/**
 	 * Enables and Configures anonymous authentication. Anonymous Authentication is disabled by default.
 	 *
@ -473,6 +584,36 @@ public class ServerHttpSecurity {
 		return this.anonymous;
 	}
 	/**
 	 * Enables and Configures anonymous authentication. Anonymous Authentication is disabled by default.
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .anonymous(anonymous ->
 	 *              anonymous
 	 *                  .key("key")
 	 *                  .authorities("ROLE_ANONYMOUS")
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param anonymousCustomizer the {@link Customizer} to provide more options for
 	 * the {@link AnonymousSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity anonymous(Customizer<AnonymousSpec> anonymousCustomizer) throws Exception {
 		if (this.anonymous == null) {
 			this.anonymous = new AnonymousSpec();
 		}
 		anonymousCustomizer.customize(this.anonymous);
 		return this;
 	}
 	/**
 	 * Configures CORS support within Spring Security. This ensures that the {@link CorsWebFilter} is place in the
 	 * correct order.
@ -560,6 +701,38 @@ public class ServerHttpSecurity {
 		return this.httpBasic;
 	}
 	/**
 	 * Configures HTTP Basic authentication. An example configuration is provided below:
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .httpBasic(httpBasic ->
 	 *              httpBasic
 	 *                  // used for authenticating the credentials
 	 *                  .authenticationManager(authenticationManager)
 	 *                  // Custom persistence of the authentication
 	 *                  .securityContextRepository(securityContextRepository)
 	 *              );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param httpBasicCustomizer the {@link Customizer} to provide more options for
 	 * the {@link HttpBasicSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity httpBasic(Customizer<HttpBasicSpec> httpBasicCustomizer) throws Exception {
 		if (this.httpBasic == null) {
 			this.httpBasic = new HttpBasicSpec();
 		}
 		httpBasicCustomizer.customize(this.httpBasic);
 		return this;
 	}
 	/**
 	 * Configures form based authentication. An example configuration is provided below:
 	 *
@ -590,6 +763,42 @@ public class ServerHttpSecurity {
 		return this.formLogin;
 	}
 	/**
 	 * Configures form based authentication. An example configuration is provided below:
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .formLogin(formLogin ->
 	 *              formLogin
 	 *              	// used for authenticating the credentials
 	 *              	.authenticationManager(authenticationManager)
 	 *              	// Custom persistence of the authentication
 	 *              	.securityContextRepository(securityContextRepository)
 	 *              	// expect a log in page at "/authenticate"
 	 *              	// a POST "/authenticate" is where authentication occurs
 	 *              	// error page at "/authenticate?error"
 	 *              	.loginPage("/authenticate")
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param formLoginCustomizer the {@link Customizer} to provide more options for
 	 * the {@link FormLoginSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity formLogin(Customizer<FormLoginSpec> formLoginCustomizer) throws Exception {
 		if (this.formLogin == null) {
 			this.formLogin = new FormLoginSpec();
 		}
 		formLoginCustomizer.customize(this.formLogin);
 		return this;
 	}
 	/**
 	 * Configures x509 authentication using a certificate provided by a client.
 	 *
@ -619,6 +828,39 @@ public class ServerHttpSecurity {
 		return this.x509;
 	}
 	/**
 	 * Configures x509 authentication using a certificate provided by a client.
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          .x509(x509 ->
 	 *              x509
 	 *          	    .authenticationManager(authenticationManager)
 	 *                  .principalExtractor(principalExtractor)
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * Note that if extractor is not specified, {@link SubjectDnX509PrincipalExtractor} will be used.
 	 * If authenticationManager is not specified, {@link ReactivePreAuthenticatedAuthenticationManager} will be used.
 	 *
 	 * @since 5.2
 	 * @param x509Customizer the {@link Customizer} to provide more options for
 	 * the {@link X509Spec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity x509(Customizer<X509Spec> x509Customizer) throws Exception {
 		if (this.x509 == null) {
 			this.x509 = new X509Spec();
 		}
 		x509Customizer.customize(this.x509);
 		return this;
 	}
 	/**
 	 * Configures X509 authentication
 	 *
@ -702,6 +944,36 @@ public class ServerHttpSecurity {
 		return this.oauth2Login;
 	}
 	/**
 	 * Configures authentication support using an OAuth 2.0 and/or OpenID Connect 1.0 Provider.
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .oauth2Login(oauth2Login ->
 	 *              oauth2Login
 	 *                  .authenticationConverter(authenticationConverter)
 	 *                  .authenticationManager(manager)
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param oauth2LoginCustomizer the {@link Customizer} to provide more options for
 	 * the {@link OAuth2LoginSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity oauth2Login(Customizer<OAuth2LoginSpec> oauth2LoginCustomizer) throws Exception {
 		if (this.oauth2Login == null) {
 			this.oauth2Login = new OAuth2LoginSpec();
 		}
 		oauth2LoginCustomizer.customize(this.oauth2Login);
 		return this;
 	}
 	public class OAuth2LoginSpec {
 		private ReactiveClientRegistrationRepository clientRegistrationRepository;
@ -995,6 +1267,36 @@ public class ServerHttpSecurity {
 		return this.client;
 	}
 	/**
 	 * Configures the OAuth2 client.
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .oauth2Client(oauth2Client ->
 	 *              oauth2Client
 	 *                  .clientRegistrationRepository(clientRegistrationRepository)
 	 *                  .authorizedClientRepository(authorizedClientRepository)
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param oauth2ClientCustomizer the {@link Customizer} to provide more options for
 	 * the {@link OAuth2ClientSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity oauth2Client(Customizer<OAuth2ClientSpec> oauth2ClientCustomizer) throws Exception {
 		if (this.client == null) {
 			this.client = new OAuth2ClientSpec();
 		}
 		oauth2ClientCustomizer.customize(this.client);
 		return this;
 	}
 	public class OAuth2ClientSpec {
 		private ReactiveClientRegistrationRepository clientRegistrationRepository;
@ -1145,6 +1447,39 @@ public class ServerHttpSecurity {
 		return this.resourceServer;
 	}
 	/**
 	 * Configures OAuth 2.0 Resource Server support.
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .oauth2ResourceServer(oauth2ResourceServer ->
 	 *              oauth2ResourceServer
 	 *                  .jwt(jwt ->
 	 *                      jwt
 	 *                          .publicKey(publicKey())
 	 *                  )
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param oauth2ResourceServerCustomizer the {@link Customizer} to provide more options for
 	 * the {@link OAuth2ResourceServerSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity oauth2ResourceServer(Customizer<OAuth2ResourceServerSpec> oauth2ResourceServerCustomizer)
 			throws Exception {
 		if (this.resourceServer == null) {
 			this.resourceServer = new OAuth2ResourceServerSpec();
 		}
 		oauth2ResourceServerCustomizer.customize(this.resourceServer);
 		return this;
 	}
 	/**
 	 * Configures OAuth2 Resource Server Support
 	 */
@ -1228,6 +1563,22 @@ public class ServerHttpSecurity {
 			return this.jwt;
 		}
 		/**
 		 * Enables JWT Resource Server support.
 		 *
 		 * @param jwtCustomizer the {@link Customizer} to provide more options for
 		 * the {@link JwtSpec}
 		 * @return the {@link OAuth2ResourceServerSpec} to customize
 		 * @throws Exception
 		 */
 		public OAuth2ResourceServerSpec jwt(Customizer<JwtSpec> jwtCustomizer) throws Exception {
 			if (this.jwt == null) {
 				this.jwt = new JwtSpec();
 			}
 			jwtCustomizer.customize(this.jwt);
 			return this;
 		}
 		/**
 		 * Enables Opaque Token Resource Server support.
 		 *
@ -1240,6 +1591,22 @@ public class ServerHttpSecurity {
 			return this.opaqueToken;
 		}
 		/**
 		 * Enables Opaque Token Resource Server support.
 		 *
 		 * @param opaqueTokenCustomizer the {@link Customizer} to provide more options for
 		 * the {@link OpaqueTokenSpec}
 		 * @return the {@link OAuth2ResourceServerSpec} to customize
 		 * @throws Exception
 		 */
 		public OAuth2ResourceServerSpec opaqueToken(Customizer<OpaqueTokenSpec> opaqueTokenCustomizer) throws Exception {
 			if (this.opaqueToken == null) {
 				this.opaqueToken = new OpaqueTokenSpec();
 			}
 			opaqueTokenCustomizer.customize(this.opaqueToken);
 			return this;
 		}
 		protected void configure(ServerHttpSecurity http) {
 			this.bearerTokenServerWebExchangeMatcher
 					.setBearerTokenConverter(this.bearerTokenConverter);
@ -1561,6 +1928,58 @@ public class ServerHttpSecurity {
 		return this.headers;
 	}
 	/**
 	 * Configures HTTP Response Headers. The default headers are:
 	 *
 	 * <pre>
 	 * Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 	 * Pragma: no-cache
 	 * Expires: 0
 	 * X-Content-Type-Options: nosniff
 	 * Strict-Transport-Security: max-age=31536000 ; includeSubDomains
 	 * X-Frame-Options: DENY
 	 * X-XSS-Protection: 1; mode=block
 	 * </pre>
 	 *
 	 * such that "Strict-Transport-Security" is only added on secure requests.
 	 *
 	 * An example configuration is provided below:
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .headers(headers ->
 	 *              headers
 	 *                  // customize frame options to be same origin
 	 *                  .frameOptions(frameOptions ->
 	 *                      frameOptions
 	 *                          .mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN)
 	 *                   )
 	 *                  // disable cache control
 	 *                  .cache(cache ->
 	 *                      cache
 	 *                          .disable()
 	 *                  )
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param headerCustomizer the {@link Customizer} to provide more options for
 	 * the {@link HeaderSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity headers(Customizer<HeaderSpec> headerCustomizer) throws Exception {
 		if (this.headers == null) {
 			this.headers = new HeaderSpec();
 		}
 		headerCustomizer.customize(this.headers);
 		return this;
 	}
 	/**
 	 * Configures exception handling (i.e. handles when authentication is requested). An example configuration can
 	 * be found below:
@ -1586,6 +2005,38 @@ public class ServerHttpSecurity {
 		return this.exceptionHandling;
 	}
 	/**
 	 * Configures exception handling (i.e. handles when authentication is requested). An example configuration can
 	 * be found below:
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .exceptionHandling(exceptionHandling ->
 	 *              exceptionHandling
 	 *                  // customize how to request for authentication
 	 *                  .authenticationEntryPoint(entryPoint)
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param exceptionHandlingCustomizer the {@link Customizer} to provide more options for
 	 * the {@link ExceptionHandlingSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity exceptionHandling(Customizer<ExceptionHandlingSpec> exceptionHandlingCustomizer)
 			throws Exception {
 		if (this.exceptionHandling == null) {
 			this.exceptionHandling = new ExceptionHandlingSpec();
 		}
 		exceptionHandlingCustomizer.customize(this.exceptionHandling);
 		return this;
 	}
 	/**
 	 * Configures authorization. An example configuration can be found below:
 	 *
@ -1624,6 +2075,51 @@ public class ServerHttpSecurity {
 		return this.authorizeExchange;
 	}
 	/**
 	 * Configures authorization. An example configuration can be found below:
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .authorizeExchange(exchanges ->
 	 *              exchanges
 	 *                  // any URL that starts with /admin/ requires the role "ROLE_ADMIN"
 	 *                  .pathMatchers("/admin/**").hasRole("ADMIN")
 	 *                  // a POST to /users requires the role "USER_POST"
 	 *                  .pathMatchers(HttpMethod.POST, "/users").hasAuthority("USER_POST")
 	 *                  // a request to /users/{username} requires the current authentication's username
 	 *                  // to be equal to the {username}
 	 *                  .pathMatchers("/users/{username}").access((authentication, context) ->
 	 *                      authentication
 	 *                          .map(Authentication::getName)
 	 *                          .map(username -> username.equals(context.getVariables().get("username")))
 	 *                          .map(AuthorizationDecision::new)
 	 *                  )
 	 *                  // allows providing a custom matching strategy that requires the role "ROLE_CUSTOM"
 	 *                  .matchers(customMatcher).hasRole("CUSTOM")
 	 *                  // any other request requires the user to be authenticated
 	 *                  .anyExchange().authenticated()
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param authorizeExchangeCustomizer the {@link Customizer} to provide more options for
 	 * the {@link AuthorizeExchangeSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity authorizeExchange(Customizer<AuthorizeExchangeSpec> authorizeExchangeCustomizer)
 			throws Exception {
 		if (this.authorizeExchange == null) {
 			this.authorizeExchange = new AuthorizeExchangeSpec();
 		}
 		authorizeExchangeCustomizer.customize(this.authorizeExchange);
 		return this;
 	}
 	/**
 	 * Configures log out. An example configuration can be found below:
 	 *
@ -1651,6 +2147,40 @@ public class ServerHttpSecurity {
 		return this.logout;
 	}
 	/**
 	 * Configures log out. An example configuration can be found below:
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .logout(logout ->
 	 *              logout
 	 *                  // configures how log out is done
 	 *                  .logoutHandler(logoutHandler)
 	 *                  // log out will be performed on POST /signout
 	 *                  .logoutUrl("/signout")
 	 *                  // configure what is done on logout success
 	 *                  .logoutSuccessHandler(successHandler)
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param logoutCustomizer the {@link Customizer} to provide more options for
 	 * the {@link LogoutSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity logout(Customizer<LogoutSpec> logoutCustomizer) throws Exception {
 		if (this.logout == null) {
 			this.logout = new LogoutSpec();
 		}
 		logoutCustomizer.customize(this.logout);
 		return this;
 	}
 	/**
 	 * Configures the request cache which is used when a flow is interrupted (i.e. due to requesting credentials) so
 	 * that the request can be replayed after authentication. An example configuration can be found below:
@ -1673,6 +2203,34 @@ public class ServerHttpSecurity {
 		return this.requestCache;
 	}
 	/**
 	 * Configures the request cache which is used when a flow is interrupted (i.e. due to requesting credentials) so
 	 * that the request can be replayed after authentication. An example configuration can be found below:
 	 *
 	 * <pre class="code">
 	 *  &#064;Bean
 	 *  public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	 *      http
 	 *          // ...
 	 *          .requestCache(requestCache ->
 	 *              requestCache
 	 *                  // configures how the request is cached
 	 *                  .requestCache(customRequestCache)
 	 *          );
 	 *      return http.build();
 	 *  }
 	 * </pre>
 	 *
 	 * @param requestCacheCustomizer the {@link Customizer} to provide more options for
 	 * the {@link RequestCacheSpec}
 	 * @return the {@link ServerHttpSecurity} to customize
 	 * @throws Exception
 	 */
 	public ServerHttpSecurity requestCache(Customizer<RequestCacheSpec> requestCacheCustomizer) throws Exception {
 		requestCacheCustomizer.customize(this.requestCache);
 		return this;
 	}
 	/**
 	 * Configure the default authentication manager.
 	 * @param manager the authentication manager to use
@ -2549,6 +3107,19 @@ public class ServerHttpSecurity {
 			return new CacheSpec();
 		}
 		/**
 		 * Configures cache control headers
 		 *
 		 * @param cacheCustomizer the {@link Customizer} to provide more options for
 		 * the {@link CacheSpec}
 		 * @return the {@link HeaderSpec} to customize
 		 * @throws Exception
 		 */
 		public HeaderSpec cache(Customizer<CacheSpec> cacheCustomizer) throws Exception {
 			cacheCustomizer.customize(new CacheSpec());
 			return this;
 		}
 		/**
 		 * Configures content type response headers
 		 * @return the {@link ContentTypeOptionsSpec} to configure
@ -2557,6 +3128,20 @@ public class ServerHttpSecurity {
 			return new ContentTypeOptionsSpec();
 		}
 		/**
 		 * Configures content type response headers
 		 *
 		 * @param contentTypeOptionsCustomizer the {@link Customizer} to provide more options for
 		 * the {@link ContentTypeOptionsSpec}
 		 * @return the {@link HeaderSpec} to customize
 		 * @throws Exception
 		 */
 		public HeaderSpec contentTypeOptions(Customizer<ContentTypeOptionsSpec> contentTypeOptionsCustomizer)
 				throws Exception {
 			contentTypeOptionsCustomizer.customize(new ContentTypeOptionsSpec());
 			return this;
 		}
 		/**
 		 * Configures frame options response headers
 		 * @return the {@link FrameOptionsSpec} to configure
@ -2565,6 +3150,19 @@ public class ServerHttpSecurity {
 			return new FrameOptionsSpec();
 		}
 		/**
 		 * Configures frame options response headers
 		 *
 		 * @param frameOptionsCustomizer the {@link Customizer} to provide more options for
 		 * the {@link FrameOptionsSpec}
 		 * @return the {@link HeaderSpec} to customize
 		 * @throws Exception
 		 */
 		public HeaderSpec frameOptions(Customizer<FrameOptionsSpec> frameOptionsCustomizer) throws Exception {
 			frameOptionsCustomizer.customize(new FrameOptionsSpec());
 			return this;
 		}
 		/**
 		 * Configures the Strict Transport Security response headers
 		 * @return the {@link HstsSpec} to configure
@ -2573,6 +3171,19 @@ public class ServerHttpSecurity {
 			return new HstsSpec();
 		}
 		/**
 		 * Configures the Strict Transport Security response headers
 		 *
 		 * @param hstsCustomizer the {@link Customizer} to provide more options for
 		 * the {@link HstsSpec}
 		 * @return the {@link HeaderSpec} to customize
 		 * @throws Exception
 		 */
 		public HeaderSpec hsts(Customizer<HstsSpec> hstsCustomizer) throws Exception {
 			hstsCustomizer.customize(new HstsSpec());
 			return this;
 		}
 		protected void configure(ServerHttpSecurity http) {
 			ServerHttpHeadersWriter writer = new CompositeServerHttpHeadersWriter(this.writers);
 			HttpHeaderWriterWebFilter result = new HttpHeaderWriterWebFilter(writer);
@ -2587,6 +3198,19 @@ public class ServerHttpSecurity {
 			return new XssProtectionSpec();
 		}
 		/**
 		 * Configures x-xss-protection response header.
 		 *
 		 * @param xssProtectionCustomizer the {@link Customizer} to provide more options for
 		 * the {@link XssProtectionSpec}
 		 * @return the {@link HeaderSpec} to customize
 		 * @throws Exception
 		 */
 		public HeaderSpec xssProtection(Customizer<XssProtectionSpec> xssProtectionCustomizer) throws Exception {
 			xssProtectionCustomizer.customize(new XssProtectionSpec());
 			return this;
 		}
 		/**
 		 * Configures {@code Content-Security-Policy} response header.
 		 * @param policyDirectives the policy directive(s)
@ -2596,6 +3220,20 @@ public class ServerHttpSecurity {
 			return new ContentSecurityPolicySpec(policyDirectives);
 		}
 		/**
 		 * Configures {@code Content-Security-Policy} response header.
 		 *
 		 * @param contentSecurityPolicyCustomizer the {@link Customizer} to provide more options for
 		 * the {@link ContentSecurityPolicySpec}
 		 * @return the {@link HeaderSpec} to customize
 		 * @throws Exception
 		 */
 		public HeaderSpec contentSecurityPolicy(Customizer<ContentSecurityPolicySpec> contentSecurityPolicyCustomizer)
 				throws Exception {
 			contentSecurityPolicyCustomizer.customize(new ContentSecurityPolicySpec());
 			return this;
 		}
 		/**
 		 * Configures {@code Feature-Policy} response header.
 		 * @param policyDirectives the policy directive(s)
@ -2622,6 +3260,20 @@ public class ServerHttpSecurity {
 			return new ReferrerPolicySpec();
 		}
 		/**
 		 * Configures {@code Referrer-Policy} response header.
 		 *
 		 * @param referrerPolicyCustomizer the {@link Customizer} to provide more options for
 		 * the {@link ReferrerPolicySpec}
 		 * @return the {@link HeaderSpec} to customize
 		 * @throws Exception
 		 */
 		public HeaderSpec referrerPolicy(Customizer<ReferrerPolicySpec> referrerPolicyCustomizer)
 				throws Exception {
 			referrerPolicyCustomizer.customize(new ReferrerPolicySpec());
 			return this;
 		}
 		/**
 		 * Configures cache control headers
 		 * @see #cache()
@ -2781,6 +3433,7 @@ public class ServerHttpSecurity {
 		 * @since 5.1
 		 */
 		public class ContentSecurityPolicySpec {
 			private static final String DEFAULT_SRC_SELF_POLICY = "default-src 'self'";
 			/**
 			 * Whether to include the {@code Content-Security-Policy-Report-Only} header in
@ -2793,6 +3446,17 @@ public class ServerHttpSecurity {
 				return HeaderSpec.this;
 			}
 			/**
 			 * Sets the security policy directive(s) to be used in the response header.
 			 *
 			 * @param policyDirectives the security policy directive(s)
 			 * @return the {@link HeaderSpec} to continue configuring
 			 */
 			public HeaderSpec policyDirectives(String policyDirectives) {
 				HeaderSpec.this.contentSecurityPolicy.setPolicyDirectives(policyDirectives);
 				return HeaderSpec.this;
 			}
 			/**
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}.
@ -2806,6 +3470,9 @@ public class ServerHttpSecurity {
 				HeaderSpec.this.contentSecurityPolicy.setPolicyDirectives(policyDirectives);
 			}
 			private ContentSecurityPolicySpec() {
 				HeaderSpec.this.contentSecurityPolicy.setPolicyDirectives(DEFAULT_SRC_SELF_POLICY);
 			}
 		}
 		/**
@ -2840,6 +3507,17 @@ public class ServerHttpSecurity {
 		 */
 		public class ReferrerPolicySpec {
 			/**
 			 * Sets the policy to be used in the response header.
 			 *
 			 * @param referrerPolicy a referrer policy
 			 * @return the {@link ReferrerPolicySpec} to continue configuring
 			 */
 			public ReferrerPolicySpec policy(ReferrerPolicy referrerPolicy) {
 				HeaderSpec.this.referrerPolicy.setPolicy(referrerPolicy);
 				return this;
 			}
 			/**
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}.
--- a/config/src/test/java/org/springframework/security/config/web/server/AuthorizeExchangeSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/AuthorizeExchangeSpecTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -92,6 +92,39 @@ public class AuthorizeExchangeSpecTests {
 			.expectStatus().isUnauthorized();
 	}
 	@Test
 	public void antMatchersWhenPatternsInLambdaThenAnyMethod() throws Exception {
 		this.http
 			.csrf(ServerHttpSecurity.CsrfSpec::disable)
 			.authorizeExchange(exchanges ->
 				exchanges
 					.pathMatchers("/a", "/b").denyAll()
 					.anyExchange().permitAll()
 			);
 		WebTestClient client = buildClient();
 		client.get()
 			.uri("/a")
 			.exchange()
 			.expectStatus().isUnauthorized();
 		client.get()
 			.uri("/b")
 			.exchange()
 			.expectStatus().isUnauthorized();
 		client.post()
 			.uri("/a")
 			.exchange()
 			.expectStatus().isUnauthorized();
 		client.post()
 			.uri("/b")
 			.exchange()
 			.expectStatus().isUnauthorized();
 	}
 	@Test(expected = IllegalStateException.class)
 	public void antMatchersWhenNoAccessAndAnotherMatcherThenThrowsException() {
 		this.http
@ -117,6 +150,16 @@ public class AuthorizeExchangeSpecTests {
 		this.http.build();
 	}
 	@Test(expected = IllegalStateException.class)
 	public void buildWhenMatcherDefinedWithNoAccessInLambdaThenThrowsException() throws Exception {
 		this.http
 			.authorizeExchange(exchanges ->
 				exchanges
 					.pathMatchers("/incomplete")
 			);
 		this.http.build();
 	}
 	private WebTestClient buildClient() {
 		return WebTestClientBuilder.bindToWebFilters(this.http.build()).build();
 	}
--- a/config/src/test/java/org/springframework/security/config/web/server/CorsSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/CorsSpecTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -74,6 +74,14 @@ public class CorsSpecTests {
 		assertHeaders();
 	}
 	@Test
 	public void corsWhenEnabledInLambdaThenAccessControlAllowOriginAndSecurityHeaders() throws Exception {
 		this.http.cors(cors -> cors.configurationSource(this.source));
 		this.expectedHeaders.set("Access-Control-Allow-Origin", "*");
 		this.expectedHeaders.set("X-Frame-Options", "DENY");
 		assertHeaders();
 	}
 	@Test
 	public void corsWhenCorsConfigurationSourceBeanThenAccessControlAllowOriginAndSecurityHeaders() {
 		when(this.context.getBeanNamesForType(any(ResolvableType.class))).thenReturn(new String[] {"source"}, new String[0]);
--- a/config/src/test/java/org/springframework/security/config/web/server/ExceptionHandlingSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/ExceptionHandlingSpecTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -26,6 +26,8 @@ import org.springframework.security.web.server.authorization.HttpStatusServerAcc
 import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * @author Denys Ivano
 * @since 5.0.5
@ -56,6 +58,29 @@ public class ExceptionHandlingSpecTests {
 			.expectHeader().valueMatches("WWW-Authenticate", "Basic.*");
 	}
 	@Test
 	public void requestWhenExceptionHandlingWithDefaultsInLambdaThenDefaultAuthenticationEntryPointUsed()
 			throws Exception {
 		SecurityWebFilterChain securityWebFilter = this.http
 			.authorizeExchange(exchanges ->
 				exchanges
 					.anyExchange().authenticated()
 			)
 			.exceptionHandling(withDefaults())
 			.build();
 		WebTestClient client = WebTestClientBuilder
 			.bindToWebFilters(securityWebFilter)
 			.build();
 		client
 			.get()
 			.uri("/test")
 			.exchange()
 			.expectStatus().isUnauthorized()
 			.expectHeader().valueMatches("WWW-Authenticate", "Basic.*");
 	}
 	@Test
 	public void customAuthenticationEntryPoint() {
 		SecurityWebFilterChain securityWebFilter = this.http
@ -80,6 +105,31 @@ public class ExceptionHandlingSpecTests {
 			.expectHeader().valueMatches("Location", ".*");
 	}
 	@Test
 	public void requestWhenCustomAuthenticationEntryPointInLambdaThenCustomAuthenticationEntryPointUsed() throws Exception {
 		SecurityWebFilterChain securityWebFilter = this.http
 				.authorizeExchange(exchanges ->
 					exchanges
 						.anyExchange().authenticated()
 				)
 				.exceptionHandling(exceptionHandling ->
 					exceptionHandling
 						.authenticationEntryPoint(redirectServerAuthenticationEntryPoint("/auth"))
 				)
 				.build();
 		WebTestClient client = WebTestClientBuilder
 			.bindToWebFilters(securityWebFilter)
 			.build();
 		client
 			.get()
 			.uri("/test")
 			.exchange()
 			.expectStatus().isFound()
 			.expectHeader().valueMatches("Location", ".*");
 	}
 	@Test
 	public void defaultAccessDeniedHandler() {
 		SecurityWebFilterChain securityWebFilter = this.http
@ -104,6 +154,30 @@ public class ExceptionHandlingSpecTests {
 			.expectStatus().isForbidden();
 	}
 	@Test
 	public void requestWhenExceptionHandlingWithDefaultsInLambdaThenDefaultAccessDeniedHandlerUsed()
 			throws Exception {
 		SecurityWebFilterChain securityWebFilter = this.http
 				.httpBasic(withDefaults())
 				.authorizeExchange(exchanges ->
 					exchanges
 						.anyExchange().hasRole("ADMIN")
 				)
 				.exceptionHandling(withDefaults())
 				.build();
 		WebTestClient client = WebTestClientBuilder
 				.bindToWebFilters(securityWebFilter)
 				.build();
 		client
 				.get()
 				.uri("/admin")
 				.headers(headers -> headers.setBasicAuth("user", "password"))
 				.exchange()
 				.expectStatus().isForbidden();
 	}
 	@Test
 	public void customAccessDeniedHandler() {
 		SecurityWebFilterChain securityWebFilter = this.http
@ -129,6 +203,33 @@ public class ExceptionHandlingSpecTests {
 			.expectStatus().isBadRequest();
 	}
 	@Test
 	public void requestWhenCustomAccessDeniedHandlerInLambdaThenCustomAccessDeniedHandlerUsed()
 			throws Exception {
 		SecurityWebFilterChain securityWebFilter = this.http
 				.httpBasic(withDefaults())
 				.authorizeExchange(exchanges ->
 						exchanges
 								.anyExchange().hasRole("ADMIN")
 				)
 				.exceptionHandling(exceptionHandling ->
 					exceptionHandling
 						.accessDeniedHandler(httpStatusServerAccessDeniedHandler(HttpStatus.BAD_REQUEST))
 				)
 				.build();
 		WebTestClient client = WebTestClientBuilder
 				.bindToWebFilters(securityWebFilter)
 				.build();
 		client
 				.get()
 				.uri("/admin")
 				.headers(headers -> headers.setBasicAuth("user", "password"))
 				.exchange()
 				.expectStatus().isBadRequest();
 	}
 	private ServerAuthenticationEntryPoint redirectServerAuthenticationEntryPoint(String location) {
 		return new RedirectServerAuthenticationEntryPoint(location);
 	}
--- a/config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/FormLoginTests.java
@ -46,6 +46,7 @@ import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verifyZeroInteractions;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * @author Rob Winch
@ -96,6 +97,49 @@ public class FormLoginTests {
 			.assertLogout();
 	}
 	@Test
 	public void formLoginWhenDefaultsInLambdaThenCreatesDefaultLoginPage() throws Exception {
 		SecurityWebFilterChain securityWebFilter = this.http
 			.authorizeExchange(exchanges ->
 				exchanges
 					.anyExchange().authenticated()
 			)
 			.formLogin(withDefaults())
 			.build();
 		WebTestClient webTestClient = WebTestClientBuilder
 			.bindToWebFilters(securityWebFilter)
 			.build();
 		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
 			.webTestClientSetup(webTestClient)
 			.build();
 		DefaultLoginPage loginPage = HomePage.to(driver, DefaultLoginPage.class)
 			.assertAt();
 		loginPage = loginPage.loginForm()
 			.username("user")
 			.password("invalid")
 			.submit(DefaultLoginPage.class)
 			.assertError();
 		HomePage homePage = loginPage.loginForm()
 			.username("user")
 			.password("password")
 			.submit(HomePage.class);
 		homePage.assertAt();
 		loginPage = DefaultLogoutPage.to(driver)
 			.assertAt()
 			.logout();
 		loginPage
 			.assertAt()
 			.assertLogout();
 	}
 	@Test
 	public void customLoginPage() {
 		SecurityWebFilterChain securityWebFilter = this.http
@ -128,6 +172,40 @@ public class FormLoginTests {
 		homePage.assertAt();
 	}
 	@Test
 	public void formLoginWhenCustomLoginPageInLambdaThenUsed() throws Exception {
 		SecurityWebFilterChain securityWebFilter = this.http
 			.authorizeExchange(exchanges ->
 				exchanges
 					.pathMatchers("/login").permitAll()
 					.anyExchange().authenticated()
 			)
 			.formLogin(formLogin ->
 				formLogin
 					.loginPage("/login")
 			)
 			.build();
 		WebTestClient webTestClient = WebTestClient
 			.bindToController(new CustomLoginPageController(), new WebTestClientBuilder.Http200RestController())
 			.webFilter(new WebFilterChainProxy(securityWebFilter))
 			.build();
 		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
 			.webTestClientSetup(webTestClient)
 			.build();
 		CustomLoginPage loginPage = HomePage.to(driver, CustomLoginPage.class)
 			.assertAt();
 		HomePage homePage = loginPage.loginForm()
 			.username("user")
 			.password("password")
 			.submit(HomePage.class);
 		homePage.assertAt();
 	}
 	@Test
 	public void authenticationSuccess() {
 		SecurityWebFilterChain securityWebFilter = this.http
--- a/config/src/test/java/org/springframework/security/config/web/server/HeaderSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/HeaderSpecTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -39,6 +39,7 @@ import org.springframework.test.web.reactive.server.FluxExchangeResult;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * Tests for {@link ServerHttpSecurity.HeaderSpec}.
@ -49,7 +50,7 @@ import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
 */
 public class HeaderSpecTests {
-	private ServerHttpSecurity.HeaderSpec headers = ServerHttpSecurity.http().headers();
+	private ServerHttpSecurity http = ServerHttpSecurity.http();
 	private HttpHeaders expectedHeaders = new HttpHeaders();
@ -72,14 +73,23 @@ public class HeaderSpecTests {
 	public void headersWhenDisableThenNoSecurityHeaders() {
 		new HashSet<>(this.expectedHeaders.keySet()).forEach(this::expectHeaderNamesNotPresent);
-		this.headers.disable();
+		this.http.headers().disable();
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenDisableInLambdaThenNoSecurityHeaders() throws Exception {
 		new HashSet<>(this.expectedHeaders.keySet()).forEach(this::expectHeaderNamesNotPresent);
 		this.http.headers(headers -> headers.disable());
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenDisableAndInvokedExplicitlyThenDefautsUsed() {
-		this.headers.disable()
+		this.http.headers().disable()
 			.headers();
 		assertHeaders();
@ -87,13 +97,34 @@ public class HeaderSpecTests {
 	@Test
 	public void headersWhenDefaultsThenAllDefaultsWritten() {
 		this.http.headers();
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenDefaultsInLambdaThenAllDefaultsWritten() throws Exception {
 		this.http.headers(withDefaults());
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenCacheDisableThenCacheNotWritten() {
 		expectHeaderNamesNotPresent(HttpHeaders.CACHE_CONTROL, HttpHeaders.PRAGMA, HttpHeaders.EXPIRES);
-		this.headers.cache().disable();
+		this.http.headers().cache().disable();
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenCacheDisableInLambdaThenCacheNotWritten() throws Exception {
 		expectHeaderNamesNotPresent(HttpHeaders.CACHE_CONTROL, HttpHeaders.PRAGMA, HttpHeaders.EXPIRES);
 		this.http
 				.headers(headers ->
 					headers.cache(cache -> cache.disable())
 				);
 		assertHeaders();
 	}
@ -101,7 +132,18 @@ public class HeaderSpecTests {
 	@Test
 	public void headersWhenContentOptionsDisableThenContentTypeOptionsNotWritten() {
 		expectHeaderNamesNotPresent(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS);
-		this.headers.contentTypeOptions().disable();
+		this.http.headers().contentTypeOptions().disable();
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenContentOptionsDisableInLambdaThenContentTypeOptionsNotWritten() throws Exception {
 		expectHeaderNamesNotPresent(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS);
 		this.http
 				.headers(headers ->
 					headers.contentTypeOptions(contentTypeOptions -> contentTypeOptions.disable())
 				);
 		assertHeaders();
 	}
@ -109,7 +151,18 @@ public class HeaderSpecTests {
 	@Test
 	public void headersWhenHstsDisableThenHstsNotWritten() {
 		expectHeaderNamesNotPresent(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY);
-		this.headers.hsts().disable();
+		this.http.headers().hsts().disable();
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenHstsDisableInLambdaThenHstsNotWritten() throws Exception {
 		expectHeaderNamesNotPresent(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY);
 		this.http
 				.headers(headers ->
 					headers.hsts(hsts -> hsts.disable())
 				);
 		assertHeaders();
 	}
@ -118,28 +171,73 @@ public class HeaderSpecTests {
 	public void headersWhenHstsCustomThenCustomHstsWritten() {
 		this.expectedHeaders.remove(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY);
 		this.expectedHeaders.add(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY, "max-age=60");
-		this.headers.hsts()
+		this.http.headers().hsts()
 					.maxAge(Duration.ofSeconds(60))
 					.includeSubdomains(false);
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenHstsCustomInLambdaThenCustomHstsWritten() throws Exception {
 		this.expectedHeaders.remove(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY);
 		this.expectedHeaders.add(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY, "max-age=60");
 		this.http
 				.headers(headers ->
 					headers
 						.hsts(hsts ->
 							hsts
 								.maxAge(Duration.ofSeconds(60))
 								.includeSubdomains(false)
 						)
 				);
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenHstsCustomWithPreloadThenCustomHstsWritten() {
 		this.expectedHeaders.remove(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY);
 		this.expectedHeaders.add(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY, "max-age=60 ; includeSubDomains ; preload");
-		this.headers.hsts()
+		this.http.headers().hsts()
 				.maxAge(Duration.ofSeconds(60))
 				.preload(true);
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenHstsCustomWithPreloadInLambdaThenCustomHstsWritten() throws Exception {
 		this.expectedHeaders.remove(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY);
 		this.expectedHeaders.add(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY, "max-age=60 ; includeSubDomains ; preload");
 		this.http
 				.headers(headers ->
 					headers
 						.hsts(hsts ->
 							hsts
 								.maxAge(Duration.ofSeconds(60))
 								.preload(true)
 						)
 				);
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenFrameOptionsDisableThenFrameOptionsNotWritten() {
 		expectHeaderNamesNotPresent(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS);
-		this.headers.frameOptions().disable();
+		this.http.headers().frameOptions().disable();
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenFrameOptionsDisableInLambdaThenFrameOptionsNotWritten() throws Exception {
 		expectHeaderNamesNotPresent(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS);
 		this.http
 				.headers(headers ->
 					headers.frameOptions(frameOptions -> frameOptions.disable())
 				);
 		assertHeaders();
 	}
@ -147,17 +245,43 @@ public class HeaderSpecTests {
 	@Test
 	public void headersWhenFrameOptionsModeThenFrameOptionsCustomMode() {
 		this.expectedHeaders.set(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS, "SAMEORIGIN");
-		this.headers
+		this.http.headers()
 				.frameOptions()
 					.mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN);
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenFrameOptionsModeInLambdaThenFrameOptionsCustomMode() throws Exception {
 		this.expectedHeaders.set(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS, "SAMEORIGIN");
 		this.http
 				.headers(headers ->
 						headers
 							.frameOptions(frameOptions ->
 								frameOptions
 									.mode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN)
 							)
 				);
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenXssProtectionDisableThenXssProtectionNotWritten() {
 		expectHeaderNamesNotPresent("X-Xss-Protection");
-		this.headers.xssProtection().disable();
+		this.http.headers().xssProtection().disable();
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenXssProtectionDisableInLambdaThenXssProtectionNotWritten() throws Exception {
 		expectHeaderNamesNotPresent("X-Xss-Protection");
 		this.http
 				.headers(headers ->
 						headers.xssProtection(xssProtection -> xssProtection.disable())
 				);
 		assertHeaders();
 	}
@ -168,7 +292,7 @@ public class HeaderSpecTests {
 		this.expectedHeaders.add(FeaturePolicyServerHttpHeadersWriter.FEATURE_POLICY,
 				policyDirectives);
-		this.headers.featurePolicy(policyDirectives);
+		this.http.headers().featurePolicy(policyDirectives);
 		assertHeaders();
 	}
@ -179,7 +303,39 @@ public class HeaderSpecTests {
 		this.expectedHeaders.add(ContentSecurityPolicyServerHttpHeadersWriter.CONTENT_SECURITY_POLICY,
 				policyDirectives);
-		this.headers.contentSecurityPolicy(policyDirectives);
+		this.http.headers().contentSecurityPolicy(policyDirectives);
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenContentSecurityPolicyEnabledWithDefaultsInLambdaThenDefaultPolicyWritten() throws Exception {
 		String expectedPolicyDirectives = "default-src 'self'";
 		this.expectedHeaders.add(ContentSecurityPolicyServerHttpHeadersWriter.CONTENT_SECURITY_POLICY,
 				expectedPolicyDirectives);
 		this.http
 				.headers(headers ->
 					headers.contentSecurityPolicy(withDefaults())
 				);
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenContentSecurityPolicyEnabledInLambdaThenContentSecurityPolicyWritten() throws Exception {
 		String policyDirectives = "default-src 'self' *.trusted.com";
 		this.expectedHeaders.add(ContentSecurityPolicyServerHttpHeadersWriter.CONTENT_SECURITY_POLICY,
 				policyDirectives);
 		this.http
 				.headers(headers ->
 					headers
 						.contentSecurityPolicy(contentSecurityPolicy ->
 							contentSecurityPolicy
 								.policyDirectives(policyDirectives)
 						)
 				);
 		assertHeaders();
 	}
@ -188,7 +344,20 @@ public class HeaderSpecTests {
 	public void headersWhenReferrerPolicyEnabledThenFeaturePolicyWritten() {
 		this.expectedHeaders.add(ReferrerPolicyServerHttpHeadersWriter.REFERRER_POLICY,
 				ReferrerPolicy.NO_REFERRER.getPolicy());
-		this.headers.referrerPolicy();
+		this.http.headers().referrerPolicy();
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenReferrerPolicyEnabledInLambdaThenReferrerPolicyWritten() throws Exception {
 		this.expectedHeaders.add(ReferrerPolicyServerHttpHeadersWriter.REFERRER_POLICY,
 				ReferrerPolicy.NO_REFERRER.getPolicy());
 		this.http
 				.headers(headers ->
 					headers
 						.referrerPolicy(withDefaults())
 				);
 		assertHeaders();
 	}
@ -197,7 +366,23 @@ public class HeaderSpecTests {
 	public void headersWhenReferrerPolicyCustomEnabledThenFeaturePolicyCustomWritten() {
 		this.expectedHeaders.add(ReferrerPolicyServerHttpHeadersWriter.REFERRER_POLICY,
 				ReferrerPolicy.NO_REFERRER_WHEN_DOWNGRADE.getPolicy());
-		this.headers.referrerPolicy(ReferrerPolicy.NO_REFERRER_WHEN_DOWNGRADE);
+		this.http.headers().referrerPolicy(ReferrerPolicy.NO_REFERRER_WHEN_DOWNGRADE);
 		assertHeaders();
 	}
 	@Test
 	public void headersWhenReferrerPolicyCustomEnabledInLambdaThenCustomReferrerPolicyWritten() throws Exception {
 		this.expectedHeaders.add(ReferrerPolicyServerHttpHeadersWriter.REFERRER_POLICY,
 				ReferrerPolicy.NO_REFERRER_WHEN_DOWNGRADE.getPolicy());
 		this.http
 				.headers(headers ->
 					headers
 						.referrerPolicy(referrerPolicy ->
 							referrerPolicy
 								.policy(ReferrerPolicy.NO_REFERRER_WHEN_DOWNGRADE)
 						)
 				);
 		assertHeaders();
 	}
@ -228,6 +413,6 @@ public class HeaderSpecTests {
 	}
 	private WebTestClient buildClient() {
-		return WebTestClientBuilder.bindToWebFilters(this.headers.and().build()).build();
+		return WebTestClientBuilder.bindToWebFilters(this.http.build()).build();
 	}
 }
--- a/config/src/test/java/org/springframework/security/config/web/server/HttpsRedirectSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/HttpsRedirectSpecTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -33,6 +33,7 @@ import org.springframework.web.reactive.config.EnableWebFlux;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * Tests for {@link HttpsRedirectSpecTests}
@ -71,6 +72,17 @@ public class HttpsRedirectSpecTests {
 				.expectHeader().valueEquals(HttpHeaders.LOCATION, "https://localhost");
 	}
 	@Test
 	public void getWhenInsecureAndRedirectConfiguredInLambdaThenRespondsWithRedirectToSecure() {
 		this.spring.register(RedirectToHttpsInLambdaConfig.class).autowire();
 		this.client.get()
 				.uri("http://localhost")
 				.exchange()
 				.expectStatus().isFound()
 				.expectHeader().valueEquals(HttpHeaders.LOCATION, "https://localhost");
 	}
 	@Test
 	public void getWhenInsecureAndPathRequiresTransportSecurityThenRedirects() {
 		this.spring.register(SometimesRedirectToHttpsConfig.class).autowire();
@ -87,6 +99,22 @@ public class HttpsRedirectSpecTests {
 				.expectHeader().valueEquals(HttpHeaders.LOCATION, "https://localhost:8443/secure");
 	}
 	@Test
 	public void getWhenInsecureAndPathRequiresTransportSecurityInLambdaThenRedirects() {
 		this.spring.register(SometimesRedirectToHttpsInLambdaConfig.class).autowire();
 		this.client.get()
 				.uri("http://localhost:8080")
 				.exchange()
 				.expectStatus().isNotFound();
 		this.client.get()
 				.uri("http://localhost:8080/secure")
 				.exchange()
 				.expectStatus().isFound()
 				.expectHeader().valueEquals(HttpHeaders.LOCATION, "https://localhost:8443/secure");
 	}
 	@Test
 	public void getWhenInsecureAndUsingCustomPortMapperThenRespondsWithRedirectToSecurePort() {
 		this.spring.register(RedirectToHttpsViaCustomPortsConfig.class).autowire();
@ -101,6 +129,20 @@ public class HttpsRedirectSpecTests {
 				.expectHeader().valueEquals(HttpHeaders.LOCATION, "https://localhost:4443");
 	}
 	@Test
 	public void getWhenInsecureAndUsingCustomPortMapperInLambdaThenRespondsWithRedirectToSecurePort() {
 		this.spring.register(RedirectToHttpsViaCustomPortsInLambdaConfig.class).autowire();
 		PortMapper portMapper = this.spring.getContext().getBean(PortMapper.class);
 		when(portMapper.lookupHttpsPort(4080)).thenReturn(4443);
 		this.client.get()
 				.uri("http://localhost:4080")
 				.exchange()
 				.expectStatus().isFound()
 				.expectHeader().valueEquals(HttpHeaders.LOCATION, "https://localhost:4443");
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class RedirectToHttpConfig {
@ -115,6 +157,21 @@ public class HttpsRedirectSpecTests {
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class RedirectToHttpsInLambdaConfig {
 		@Bean
 		SecurityWebFilterChain springSecurity(ServerHttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.redirectToHttps(withDefaults());
 			// @formatter:on
 			return http.build();
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class SometimesRedirectToHttpsConfig {
@ -130,6 +187,24 @@ public class HttpsRedirectSpecTests {
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class SometimesRedirectToHttpsInLambdaConfig {
 		@Bean
 		SecurityWebFilterChain springSecurity(ServerHttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.redirectToHttps(redirectToHttps ->
 					redirectToHttps
 						.httpsRedirectWhen(new PathPatternParserServerWebExchangeMatcher("/secure"))
 				);
 			// @formatter:on
 			return http.build();
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class RedirectToHttpsViaCustomPortsConfig {
@ -149,4 +224,26 @@ public class HttpsRedirectSpecTests {
 			return mock(PortMapper.class);
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class RedirectToHttpsViaCustomPortsInLambdaConfig {
 		@Bean
 		SecurityWebFilterChain springSecurity(ServerHttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.redirectToHttps(redirectToHttps ->
 					redirectToHttps
 						.portMapper(portMapper())
 				);
 			// @formatter:on
 			return http.build();
 		}
 		@Bean
 		public PortMapper portMapper() {
 			return mock(PortMapper.class);
 		}
 	}
 }
--- a/config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/LogoutSpecTests.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -25,6 +25,8 @@ import org.springframework.security.web.server.util.matcher.ServerWebExchangeMat
 import org.springframework.test.web.reactive.server.WebTestClient;
 import org.springframework.security.test.web.reactive.server.WebTestClientBuilder;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * @author Shazin Sadakath
 * @since 5.0
@ -117,4 +119,49 @@ public class LogoutSpecTests {
 			.assertAt()
 			.assertLogout();
 	}
 	@Test
 	public void logoutWhenCustomLogoutInLambdaThenCustomLogoutUsed() throws Exception {
 		SecurityWebFilterChain securityWebFilter = this.http
 			.authorizeExchange(authorizeExchange ->
 				authorizeExchange
 					.anyExchange().authenticated()
 			)
 			.formLogin(withDefaults())
 			.logout(logout ->
 				logout
 					.requiresLogout(ServerWebExchangeMatchers.pathMatchers("/custom-logout"))
 			)
 			.build();
 		WebTestClient webTestClient = WebTestClientBuilder
 			.bindToWebFilters(securityWebFilter)
 			.build();
 		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
 			.webTestClientSetup(webTestClient)
 			.build();
 		FormLoginTests.DefaultLoginPage loginPage = FormLoginTests.HomePage.to(driver, FormLoginTests.DefaultLoginPage.class)
 			.assertAt();
 		loginPage = loginPage.loginForm()
 			.username("user")
 			.password("invalid")
 			.submit(FormLoginTests.DefaultLoginPage.class)
 			.assertError();
 		FormLoginTests.HomePage homePage = loginPage.loginForm()
 			.username("user")
 			.password("password")
 			.submit(FormLoginTests.HomePage.class);
 		homePage.assertAt();
 		driver.get("http://localhost/custom-logout");
 		FormLoginTests.DefaultLoginPage.create(driver)
 			.assertAt()
 			.assertLogout();
 	}
 }
--- a/config/src/test/java/org/springframework/security/config/web/server/OAuth2ClientSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/OAuth2ClientSpecTests.java
@ -185,4 +185,48 @@ public class OAuth2ClientSpecTests {
 			return http.build();
 		}
 	}
 	@Test
 	public void oauth2ClientWhenCustomObjectsInLambdaThenUsed() {
 		this.spring.register(ClientRegistrationConfig.class, OAuth2ClientInLambdaCustomConfig.class, AuthorizedClientController.class).autowire();
 		OAuth2ClientInLambdaCustomConfig config = this.spring.getContext().getBean(OAuth2ClientInLambdaCustomConfig.class);
 		ServerAuthenticationConverter converter = config.authenticationConverter;
 		ReactiveAuthenticationManager manager = config.manager;
 		OAuth2AuthorizationExchange exchange = TestOAuth2AuthorizationExchanges.success();
 		OAuth2AccessToken accessToken = TestOAuth2AccessTokens.noScopes();
 		OAuth2AuthorizationCodeAuthenticationToken result = new OAuth2AuthorizationCodeAuthenticationToken(this.registration, exchange, accessToken);
 		when(converter.convert(any())).thenReturn(Mono.just(new TestingAuthenticationToken("a", "b", "c")));
 		when(manager.authenticate(any())).thenReturn(Mono.just(result));
 		this.client.get()
 				.uri("/authorize/oauth2/code/registration-id")
 				.exchange()
 				.expectStatus().is3xxRedirection();
 		verify(converter).convert(any());
 		verify(manager).authenticate(any());
 	}
 	@Configuration
 	static class OAuth2ClientInLambdaCustomConfig {
 		ReactiveAuthenticationManager manager = mock(ReactiveAuthenticationManager.class);
 		ServerAuthenticationConverter authenticationConverter = mock(ServerAuthenticationConverter.class);
 		@Bean
 		public SecurityWebFilterChain springSecurityFilter(ServerHttpSecurity http) throws Exception {
 			http
 				.oauth2Client(oauth2Client ->
 					oauth2Client
 						.authenticationConverter(this.authenticationConverter)
 						.authenticationManager(this.manager)
 				);
 			return http.build();
 		}
 	}
 }
--- a/config/src/test/java/org/springframework/security/config/web/server/OAuth2LoginTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/OAuth2LoginTests.java
@ -261,6 +261,87 @@ public class OAuth2LoginTests {
 		}
 	}
 	@Test
 	public void oauth2LoginWhenCustomObjectsInLambdaThenUsed() {
 		this.spring.register(OAuth2LoginWithSingleClientRegistrations.class,
 				OAuth2LoginMockAuthenticationManagerInLambdaConfig.class).autowire();
 		String redirectLocation = "/custom-redirect-location";
 		WebTestClient webTestClient = WebTestClientBuilder
 				.bindToWebFilters(this.springSecurity)
 				.build();
 		OAuth2LoginMockAuthenticationManagerInLambdaConfig config = this.spring.getContext()
 				.getBean(OAuth2LoginMockAuthenticationManagerInLambdaConfig.class);
 		ServerAuthenticationConverter converter = config.authenticationConverter;
 		ReactiveAuthenticationManager manager = config.manager;
 		ServerWebExchangeMatcher matcher = config.matcher;
 		ServerOAuth2AuthorizationRequestResolver resolver = config.resolver;
 		ServerAuthenticationSuccessHandler successHandler = config.successHandler;
 		OAuth2AuthorizationExchange exchange = TestOAuth2AuthorizationExchanges.success();
 		OAuth2User user = TestOAuth2Users.create();
 		OAuth2AccessToken accessToken = TestOAuth2AccessTokens.noScopes();
 		OAuth2LoginAuthenticationToken result = new OAuth2LoginAuthenticationToken(github, exchange, user, user.getAuthorities(), accessToken);
 		when(converter.convert(any())).thenReturn(Mono.just(new TestingAuthenticationToken("a", "b", "c")));
 		when(manager.authenticate(any())).thenReturn(Mono.just(result));
 		when(matcher.matches(any())).thenReturn(ServerWebExchangeMatcher.MatchResult.match());
 		when(resolver.resolve(any())).thenReturn(Mono.empty());
 		when(successHandler.onAuthenticationSuccess(any(), any())).thenAnswer((Answer<Mono<Void>>) invocation -> {
 			WebFilterExchange webFilterExchange = invocation.getArgument(0);
 			Authentication authentication = invocation.getArgument(1);
 			return new RedirectServerAuthenticationSuccessHandler(redirectLocation)
 					.onAuthenticationSuccess(webFilterExchange, authentication);
 		});
 		webTestClient.get()
 			.uri("/login/oauth2/code/github")
 			.exchange()
 			.expectStatus().is3xxRedirection()
 			.expectHeader().valueEquals("Location", redirectLocation);
 		verify(converter).convert(any());
 		verify(manager).authenticate(any());
 		verify(matcher).matches(any());
 		verify(resolver).resolve(any());
 		verify(successHandler).onAuthenticationSuccess(any(), any());
 	}
 	@Configuration
 	static class OAuth2LoginMockAuthenticationManagerInLambdaConfig {
 		ReactiveAuthenticationManager manager = mock(ReactiveAuthenticationManager.class);
 		ServerAuthenticationConverter authenticationConverter = mock(ServerAuthenticationConverter.class);
 		ServerWebExchangeMatcher matcher = mock(ServerWebExchangeMatcher.class);
 		ServerOAuth2AuthorizationRequestResolver resolver = mock(ServerOAuth2AuthorizationRequestResolver.class);
 		ServerAuthenticationSuccessHandler successHandler = mock(ServerAuthenticationSuccessHandler.class);
 		@Bean
 		public SecurityWebFilterChain springSecurityFilter(ServerHttpSecurity http) throws Exception {
 			http
 				.authorizeExchange(exchanges ->
 					exchanges
 						.anyExchange().authenticated()
 				)
 				.oauth2Login(oauth2Login ->
 					oauth2Login
 						.authenticationConverter(authenticationConverter)
 						.authenticationManager(manager)
 						.authenticationMatcher(matcher)
 						.authorizationRequestResolver(resolver)
 						.authenticationSuccessHandler(successHandler)
 				);
 			return http.build();
 		}
 	}
 	@Test
 	public void oauth2LoginWhenCustomBeansThenUsed() {
 		this.spring.register(OAuth2LoginWithMultipleClientRegistrations.class,
--- a/config/src/test/java/org/springframework/security/config/web/server/OAuth2ResourceServerSpecTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/OAuth2ResourceServerSpecTests.java
@ -175,6 +175,27 @@ public class OAuth2ResourceServerSpecTests {
 				.expectHeader().value(HttpHeaders.WWW_AUTHENTICATE, startsWith("Bearer error=\"invalid_token\""));
 	}
 	@Test
 	public void getWhenValidTokenAndPublicKeyInLambdaThenReturnsOk() {
 		this.spring.register(PublicKeyInLambdaConfig.class, RootController.class).autowire();
 		this.client.get()
 				.headers(headers -> headers.setBearerAuth(this.messageReadToken))
 				.exchange()
 				.expectStatus().isOk();
 	}
 	@Test
 	public void getWhenExpiredTokenAndPublicKeyInLambdaThenReturnsInvalidToken() {
 		this.spring.register(PublicKeyInLambdaConfig.class).autowire();
 		this.client.get()
 				.headers(headers -> headers.setBearerAuth(this.expired))
 				.exchange()
 				.expectStatus().isUnauthorized()
 				.expectHeader().value(HttpHeaders.WWW_AUTHENTICATE, startsWith("Bearer error=\"invalid_token\""));
 	}
 	@Test
 	public void getWhenValidUsingPlaceholderThenReturnsOk() {
 		this.spring.register(PlaceholderConfig.class, RootController.class).autowire();
@ -213,6 +234,18 @@ public class OAuth2ResourceServerSpecTests {
 				.expectStatus().isOk();
 	}
 	@Test
 	public void getWhenUsingJwkSetUriInLambdaThenConsultsAccordingly() {
 		this.spring.register(JwkSetUriInLambdaConfig.class, RootController.class).autowire();
 		MockWebServer mockWebServer = this.spring.getContext().getBean(MockWebServer.class);
 		mockWebServer.enqueue(new MockResponse().setBody(this.jwkSet));
 		this.client.get()
 				.headers(headers -> headers.setBearerAuth(this.messageReadTokenWithKid))
 				.exchange()
 				.expectStatus().isOk();
 	}
 	@Test
 	public void getWhenUsingCustomAuthenticationManagerThenUsesItAccordingly() {
@ -230,6 +263,22 @@ public class OAuth2ResourceServerSpecTests {
 				.expectHeader().value(HttpHeaders.WWW_AUTHENTICATE, startsWith("Bearer error=\"mock-failure\""));
 	}
 	@Test
 	public void getWhenUsingCustomAuthenticationManagerInLambdaThenUsesItAccordingly() {
 		this.spring.register(CustomAuthenticationManagerInLambdaConfig.class).autowire();
 		ReactiveAuthenticationManager authenticationManager = this.spring.getContext().getBean(
 				ReactiveAuthenticationManager.class);
 		when(authenticationManager.authenticate(any(Authentication.class)))
 				.thenReturn(Mono.error(new OAuth2AuthenticationException(new OAuth2Error("mock-failure"))));
 		this.client.get()
 				.headers(headers -> headers.setBearerAuth(this.messageReadToken))
 				.exchange()
 				.expectStatus().isUnauthorized()
 				.expectHeader().value(HttpHeaders.WWW_AUTHENTICATE, startsWith("Bearer error=\"mock-failure\""));
 	}
 	@Test
 	public void getWhenUsingCustomAuthenticationManagerResolverThenUsesItAccordingly() {
 		this.spring.register(CustomAuthenticationManagerResolverConfig.class).autowire();
@ -396,6 +445,18 @@ public class OAuth2ResourceServerSpecTests {
 				.expectStatus().isOk();
 	}
 	@Test
 	public void introspectWhenValidAndIntrospectionInLambdaThenReturnsOk() {
 		this.spring.register(IntrospectionInLambdaConfig.class, RootController.class).autowire();
 		this.spring.getContext().getBean(MockWebServer.class)
 				.setDispatcher(requiresAuth(clientId, clientSecret, active));
 		this.client.get()
 				.headers(headers -> headers.setBearerAuth(this.messageReadToken))
 				.exchange()
 				.expectStatus().isOk();
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class PublicKeyConfig {
@ -416,6 +477,30 @@ public class OAuth2ResourceServerSpecTests {
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class PublicKeyInLambdaConfig {
 		@Bean
 		SecurityWebFilterChain springSecurity(ServerHttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.authorizeExchange(exchanges ->
 					exchanges
 						.anyExchange().hasAuthority("SCOPE_message:read")
 				)
 				.oauth2ResourceServer(oauth2ResourceServer ->
 					oauth2ResourceServer
 						.jwt(jwt ->
 							jwt
 								.publicKey(publicKey())
 						)
 				);
 			// @formatter:on
 			return http.build();
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class PlaceholderConfig {
@ -469,6 +554,40 @@ public class OAuth2ResourceServerSpecTests {
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class JwkSetUriInLambdaConfig {
 		private MockWebServer mockWebServer = new MockWebServer();
 		@Bean
 		SecurityWebFilterChain springSecurity(ServerHttpSecurity http) throws Exception {
 			String jwkSetUri = mockWebServer().url("/.well-known/jwks.json").toString();
 			// @formatter:off
 			http
 				.oauth2ResourceServer(oauth2ResourceServer ->
 					oauth2ResourceServer
 						.jwt(jwt ->
 							jwt
 								.jwkSetUri(jwkSetUri)
 						)
 				);
 			// @formatter:on
 			return http.build();
 		}
 		@Bean
 		MockWebServer mockWebServer() {
 			return this.mockWebServer;
 		}
 		@PreDestroy
 		void shutdown() throws IOException {
 			this.mockWebServer.shutdown();
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class CustomDecoderConfig {
@ -531,6 +650,31 @@ public class OAuth2ResourceServerSpecTests {
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class CustomAuthenticationManagerInLambdaConfig {
 		@Bean
 		SecurityWebFilterChain springSecurity(ServerHttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.oauth2ResourceServer(oauth2ResourceServer ->
 					oauth2ResourceServer
 						.jwt(jwt ->
 							jwt
 								.authenticationManager(authenticationManager())
 						)
 				);
 			// @formatter:on
 			return http.build();
 		}
 		@Bean
 		ReactiveAuthenticationManager authenticationManager() {
 			return mock(ReactiveAuthenticationManager.class);
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class CustomAuthenticationManagerResolverConfig {
@ -670,6 +814,41 @@ public class OAuth2ResourceServerSpecTests {
 		}
 	}
 	@EnableWebFlux
 	@EnableWebFluxSecurity
 	static class IntrospectionInLambdaConfig {
 		private MockWebServer mockWebServer = new MockWebServer();
 		@Bean
 		SecurityWebFilterChain springSecurity(ServerHttpSecurity http) throws Exception {
 			String introspectionUri = mockWebServer().url("/introspect").toString();
 			// @formatter:off
 			http
 				.oauth2ResourceServer(oauth2ResourceServer ->
 					oauth2ResourceServer
 						.opaqueToken(opaqueToken ->
 								opaqueToken
 									.introspectionUri(introspectionUri)
 									.introspectionClientCredentials("client", "secret")
 						)
 				);
 			// @formatter:on
 			return http.build();
 		}
 		@Bean
 		MockWebServer mockWebServer() {
 			return this.mockWebServer;
 		}
 		@PreDestroy
 		void shutdown() throws IOException {
 			this.mockWebServer.shutdown();
 		}
 	}
 	@RestController
 	static class RootController {
 		@GetMapping
--- a/config/src/test/java/org/springframework/security/config/web/server/RequestCacheTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/RequestCacheTests.java
@ -34,6 +34,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.server.ServerWebExchange;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * @author Rob Winch
@ -103,6 +104,40 @@ public class RequestCacheTests {
 		securedPage.assertAt();
 	}
 	@Test
 	public void requestWhenCustomRequestCacheInLambdaThenCustomCacheUsed() throws Exception {
 		SecurityWebFilterChain securityWebFilter = this.http
 			.authorizeExchange(authorizeExchange ->
 				authorizeExchange
 					.anyExchange().authenticated()
 			)
 			.formLogin(withDefaults())
 			.requestCache(requestCache ->
 				requestCache
 					.requestCache(NoOpServerRequestCache.getInstance())
 			)
 			.build();
 		WebTestClient webTestClient = WebTestClient
 			.bindToController(new SecuredPageController(), new WebTestClientBuilder.Http200RestController())
 			.webFilter(new WebFilterChainProxy(securityWebFilter))
 			.build();
 		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
 			.webTestClientSetup(webTestClient)
 			.build();
 		DefaultLoginPage loginPage = SecuredPage.to(driver, DefaultLoginPage.class)
 			.assertAt();
 		HomePage securedPage = loginPage.loginForm()
 			.username("user")
 			.password("password")
 			.submit(HomePage.class);
 		securedPage.assertAt();
 	}
 	public static class SecuredPage {
 		private WebDriver driver;
--- a/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java
@ -20,8 +20,10 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyZeroInteractions;
 import static org.mockito.Mockito.when;
 import static org.springframework.security.config.Customizer.withDefaults;
 import java.util.Arrays;
 import java.util.List;
@ -36,6 +38,7 @@ import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
 import org.springframework.security.web.server.authentication.ServerX509AuthenticationConverter;
 import reactor.core.publisher.Mono;
@ -236,6 +239,19 @@ public class ServerHttpSecurityTests {
 	}
 	@Test
 	public void getWhenAnonymousConfiguredThenAuthenticationIsAnonymous() throws Exception {
 		SecurityWebFilterChain securityFilterChain = this.http.anonymous(withDefaults()).build();
 		WebTestClient client = WebTestClientBuilder.bindToControllerAndWebFilters(AnonymousAuthenticationWebFilterTests.HttpMeController.class,
 				securityFilterChain).build();
 		client.get()
 				.uri("/me")
 				.exchange()
 				.expectStatus().isOk()
 				.expectBody(String.class).isEqualTo("anonymousUser");
 	}
 	@Test
 	public void basicWithAnonymous() {
 		given(this.authenticationManager.authenticate(any())).willReturn(Mono.just(new TestingAuthenticationToken("rob", "rob", "ROLE_USER", "ROLE_ADMIN")));
@ -283,6 +299,31 @@ public class ServerHttpSecurityTests {
 		assertThat(result.getResponseCookies().getFirst("SESSION")).isNull();
 	}
 	@Test
 	public void requestWhenBasicWithRealmNameInLambdaThenRealmNameUsed() throws Exception {
 		this.http.securityContextRepository(new WebSessionServerSecurityContextRepository());
 		HttpBasicServerAuthenticationEntryPoint authenticationEntryPoint = new HttpBasicServerAuthenticationEntryPoint();
 		authenticationEntryPoint.setRealm("myrealm");
 		this.http.httpBasic(httpBasic ->
 				httpBasic.authenticationEntryPoint(authenticationEntryPoint)
 		);
 		this.http.authenticationManager(this.authenticationManager);
 		ServerHttpSecurity.AuthorizeExchangeSpec authorize = this.http.authorizeExchange();
 		authorize.anyExchange().authenticated();
 		WebTestClient client = buildClient();
 		EntityExchangeResult<String> result = client.get()
 				.uri("/")
 				.exchange()
 				.expectStatus().isUnauthorized()
 				.expectHeader().value(HttpHeaders.WWW_AUTHENTICATE, value -> assertThat(value).contains("myrealm"))
 				.expectBody(String.class)
 				.returnResult();
 		assertThat(result.getResponseCookies().getFirst("SESSION")).isNull();
 	}
 	@Test
 	public void basicWithCustomAuthenticationManager() {
 		ReactiveAuthenticationManager customAuthenticationManager = mock(ReactiveAuthenticationManager.class);
@ -302,6 +343,31 @@ public class ServerHttpSecurityTests {
 		verifyZeroInteractions(this.authenticationManager);
 	}
 	@Test
 	public void requestWhenBasicWithAuthenticationManagerInLambdaThenAuthenticationManagerUsed() throws Exception {
 		ReactiveAuthenticationManager customAuthenticationManager = mock(ReactiveAuthenticationManager.class);
 		given(customAuthenticationManager.authenticate(any()))
 				.willReturn(Mono.just(new TestingAuthenticationToken("rob", "rob", "ROLE_USER", "ROLE_ADMIN")));
 		SecurityWebFilterChain securityFilterChain = this.http
 				.httpBasic(httpBasic ->
 						httpBasic.authenticationManager(customAuthenticationManager)
 				)
 				.build();
 		WebFilterChainProxy springSecurityFilterChain = new WebFilterChainProxy(securityFilterChain);
 		WebTestClient client = WebTestClientBuilder.bindToWebFilters(springSecurityFilterChain).build();
 		client.get()
 				.uri("/")
 				.headers(headers -> headers.setBasicAuth("rob", "rob"))
 				.exchange()
 				.expectStatus().isOk()
 				.expectBody(String.class).consumeWith(b -> assertThat(b.getResponseBody()).isEqualTo("ok"));
 		verifyZeroInteractions(this.authenticationManager);
 		verify(customAuthenticationManager).authenticate(any(Authentication.class));
 	}
 	@Test
 	@SuppressWarnings("unchecked")
 	public void addsX509FilterWhenX509AuthenticationIsConfigured() {
@ -319,6 +385,23 @@ public class ServerHttpSecurityTests {
 		assertThat(x509WebFilter).isNotNull();
 	}
 	@Test
 	public void x509WhenCustomizedThenAddsX509Filter() throws Exception {
 		X509PrincipalExtractor mockExtractor = mock(X509PrincipalExtractor.class);
 		ReactiveAuthenticationManager mockAuthenticationManager = mock(ReactiveAuthenticationManager.class);
 		this.http.x509(x509 ->
 				x509
 					.principalExtractor(mockExtractor)
 					.authenticationManager(mockAuthenticationManager)
 				);
 		SecurityWebFilterChain securityWebFilterChain = this.http.build();
 		WebFilter x509WebFilter = securityWebFilterChain.getWebFilters().filter(this::isX509Filter).blockFirst();
 		assertThat(x509WebFilter).isNotNull();
 	}
 	@Test
 	public void addsX509FilterWhenX509AuthenticationIsConfiguredWithDefaults() {
 		this.http.x509();
@ -329,6 +412,46 @@ public class ServerHttpSecurityTests {
 		assertThat(x509WebFilter).isNotNull();
 	}
 	@Test
 	public void x509WhenDefaultsThenAddsX509Filter() throws Exception {
 		this.http.x509(withDefaults());
 		SecurityWebFilterChain securityWebFilterChain = this.http.build();
 		WebFilter x509WebFilter = securityWebFilterChain.getWebFilters().filter(this::isX509Filter).blockFirst();
 		assertThat(x509WebFilter).isNotNull();
 	}
 	@Test
 	public void postWhenCsrfDisabledThenPermitted() throws Exception {
 		SecurityWebFilterChain securityFilterChain = this.http.csrf(csrf -> csrf.disable()).build();
 		WebFilterChainProxy springSecurityFilterChain = new WebFilterChainProxy(securityFilterChain);
 		WebTestClient client = WebTestClientBuilder.bindToWebFilters(springSecurityFilterChain).build();
 		client.post()
 				.uri("/")
 				.exchange()
 				.expectStatus().isOk();
 	}
 	@Test
 	public void postWhenCustomCsrfTokenRepositoryThenUsed() throws Exception {
 		ServerCsrfTokenRepository customServerCsrfTokenRepository = mock(ServerCsrfTokenRepository.class);
 		when(customServerCsrfTokenRepository.loadToken(any(ServerWebExchange.class))).thenReturn(Mono.empty());
 		SecurityWebFilterChain securityFilterChain = this.http
 				.csrf(csrf -> csrf.csrfTokenRepository(customServerCsrfTokenRepository))
 				.build();
 		WebFilterChainProxy springSecurityFilterChain = new WebFilterChainProxy(securityFilterChain);
 		WebTestClient client = WebTestClientBuilder.bindToWebFilters(springSecurityFilterChain).build();
 		client.post()
 				.uri("/")
 				.exchange()
 				.expectStatus().isForbidden();
 		verify(customServerCsrfTokenRepository).loadToken(any());
 	}
 	private boolean isX509Filter(WebFilter filter) {
 		try {
 			Object converter = ReflectionTestUtils.getField(filter, "authenticationConverter");
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/cors.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/cors.adoc
@ -28,10 +28,10 @@ The following will disable the CORS integration within Spring Security:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.cors().disable();
+		.cors(cors -> cors.disable());
 	return http.build();
 }
 ----
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/headers.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/headers.adoc
@ -53,12 +53,20 @@ You can easily do this with the following Java Configuration:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.hsts().disable()
+			headers
-			.frameOptions().mode(Mode.SAMEORIGIN);
+				.hsts(hsts ->
 					hsts
 						.disable()
 				)
 				.frameOptions(frameOptions ->
 					frameOptions
 						.mode(Mode.SAMEORIGIN)
 				)
 		);
 	return http.build();
 }
 ----
@ -72,11 +80,13 @@ If necessary, you can disable all of the HTTP Security response headers with the
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.disable();
+			headers
 				.disable()
 		);
 	return http.build();
 }
 ----
@ -104,11 +114,13 @@ You can also disable cache control using the following Java Configuration:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.cache().disable();
+			headers
 				.cache(cache -> cache.disable())
 		);
 	return http.build();
 }
 ----
@ -143,11 +155,13 @@ However, if need to disable the header, the following may be used:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.contentTypeOptions().disable();
+			headers
 				.contentTypeOptions(contentTypeOptions -> contentTypeOptions.disable())
 		);
 	return http.build();
 }
 ----
@ -188,14 +202,18 @@ You can customize HSTS headers with Java Configuration:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.hsts()
+			headers
-				.includeSubdomains(true)
+				.hsts(hsts ->
-				.preload(true)
+					hsts
-				.maxAge(Duration.ofDays(365));
+						.includeSubdomains(true)
 						.preload(true)
 						.maxAge(Duration.ofDays(365))
 				)
 		);
 	return http.build();
 }
 ----
@ -232,12 +250,16 @@ You can customize X-Frame-Options with Java Configuration using the following:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.frameOptions()
+			headers
-				.mode(SAMEORIGIN);
+				.frameOptions(frameOptions ->
 					frameOptions
 						.mode(SAMEORIGIN)
 				)
 		);
 	return http.build();
 }
 ----
@ -264,12 +286,13 @@ However, we can customize with Java Configuration with the following:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.xssProtection()
+			headers
-				.disable();
+				.xssProtection(xssProtection -> xssProtection.disable())
 		);
 	return http.build();
 }
 ----
@ -345,11 +368,16 @@ You can enable the CSP header using Java configuration as shown below:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");
+			headers
 				.contentSecurityPolicy(contentSecurityPolicy ->
 					contentSecurityPolicy
 						.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
 				)
 		);
 	return http.build();
 }
 ----
@ -359,12 +387,17 @@ To enable the CSP _'report-only'_ header, provide the following Java configurati
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
+			headers
-			.reportOnly();
+				.contentSecurityPolicy(contentSecurityPolicy ->
 					contentSecurityPolicy
 						.policyDirectives("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
 						.reportOnly()
 				)
 		);
 	return http.build();
 }
 ----
@ -405,11 +438,16 @@ You can enable the Referrer-Policy header using Java configuration as shown belo
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.referrerPolicy(ReferrerPolicy.SAME_ORIGIN);
+			headers
 				.referrerPolicy(referrerPolicy ->
 					referrerPolicy
 						.policy(ReferrerPolicy.SAME_ORIGIN)
 				)
 		);
 	return http.build();
 }
 ----
@ -438,11 +476,13 @@ You can enable the Feature-Policy header using Java configuration as shown below
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.headers()
+		.headers(headers ->
-			.featurePolicy("geolocation 'self'");
+			headers
 				.featurePolicy("geolocation 'self'")
 		);
 	return http.build();
 }
 ----
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/method.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/method.adoc
@ -88,10 +88,11 @@ public class SecurityConfig {
 		return http
 			// Demonstrate that method security works
 			// Best practice to use both for defense in depth
-			.authorizeExchange()
+			.authorizeExchange(exchanges ->
-				.anyExchange().permitAll()
+				exchanges
-				.and()
+					.anyExchange().permitAll()
-			.httpBasic().and()
+			)
 			.httpBasic(withDefaults())
 			.build();
 	}
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/access-token.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/access-token.adoc
@ -27,7 +27,7 @@ The next step is to instruct Spring Security that you wish to act as an OAuth2 C
 SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.oauth2Client();
+		.oauth2Client(withDefaults());
 	return http.build();
 }
 ----
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc
@ -128,10 +128,10 @@ ReactiveClientRegistrationRepository clientRegistrations() {
 }
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.oauth2Login();
+		.oauth2Login(withDefaults());
 	return http.build();
 }
 ----
@ -141,14 +141,16 @@ Additional configuration options can be seen below:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.oauth2Login()
+		.oauth2Login(oauth2Login ->
-			.authenticationConverter(converter)
+			oauth2Login
-			.authenticationManager(manager)
+				.authenticationConverter(converter)
-			.authorizedClientRepository(authorizedClients)
+				.authenticationManager(manager)
-			.clientRegistrationRepository(clientRegistrations);
+				.authorizedClientRepository(authorizedClients)
 				.clientRegistrationRepository(clientRegistrations)
 		);
 	return http.build();
 }
 ----
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/resource-server.adoc
@ -121,14 +121,17 @@ The first is a `SecurityWebFilterChain` that configures the app as a resource se
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
-    http
+	http
-        .authorizeExchange()
+		.authorizeExchange(exchanges ->
-            .anyExchange().authenticated()
+			exchanges
-            .and()
+				.anyExchange().authenticated()
-        .oauth2ResourceServer()
+		)
-            .jwt();
+		.oauth2ResourceServer(oauth2ResourceServer ->
-    return http.build();
+			oauth2ResourceServer
 				.jwt(withDefaults())
 		);
 	return http.build();
 }
 ----
@ -139,14 +142,17 @@ Replacing this is as simple as exposing the bean within the application:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
-		.authorizeExchange()
+		.authorizeExchange(exchanges ->
-			.pathMatchers("/message/**").hasAuthority("SCOPE_message:read")
+			exchanges
-			.anyExchange().authenticated()
+				.pathMatchers("/message/**").hasAuthority("SCOPE_message:read")
-			.and()
+				.anyExchange().authenticated()
-		.oauth2ResourceServer()
+		)
-			.jwt();
+		.oauth2ResourceServer(oauth2ResourceServer ->
 			oauth2ResourceServer
 				.jwt(withDefaults())
 		);
 	return http.build();
 }
 ----
@ -177,15 +183,20 @@ An authorization server's JWK Set Uri can be configured <<webflux-oauth2-resourc
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
-    http
+	http
-        .authorizeExchange()
+		.authorizeExchange(exchanges ->
-            .anyExchange().authenticated()
+			exchanges
-            .and()
+				.anyExchange().authenticated()
-        .oauth2ResourceServer()
+		)
-            .jwt()
+		.oauth2ResourceServer(oauth2ResourceServer ->
-                .jwkSetUri("https://idp.example.com/.well-known/jwks.json");
+			oauth2ResourceServer
-    return http.build();
+				.jwt(jwt ->
 					jwt
 						.jwkSetUri("https://idp.example.com/.well-known/jwks.json")
 				)
 		);
 	return http.build();
 }
 ----
@ -199,14 +210,19 @@ More powerful than `jwkSetUri()` is `decoder()`, which will completely replace a
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
-    http
+	http
-        .authorizeExchange()
+		.authorizeExchange(exchanges ->
-            .anyExchange().authenticated()
+			exchanges
-            .and()
+				.anyExchange().authenticated()
-        .oauth2ResourceServer()
+		)
-            .jwt()
+		.oauth2ResourceServer(oauth2ResourceServer ->
-                .decoder(myCustomDecoder());
+			oauth2ResourceServer
 				.jwt(jwt ->
 					jwt
 						.decoder(myCustomDecoder())
 				)
 		);
    return http.build();
 }
 ----
@ -240,15 +256,18 @@ This means that to protect an endpoint or method with a scope derived from a JWT
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
-    http
+	http
-        .authorizeExchange()
+		.authorizeExchange(exchanges ->
-            .mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
+			exchanges
-            .mvcMatchers("/messages/**").hasAuthority("SCOPE_messages")
+				.mvcMatchers("/contacts/**").hasAuthority("SCOPE_contacts")
-            .anyExchange().authenticated()
+				.mvcMatchers("/messages/**").hasAuthority("SCOPE_messages")
-            .and()
+				.anyExchange().authenticated()
-        .oauth2ResourceServer()
+		)
-            .jwt();
+		.oauth2ResourceServer(oauth2ResourceServer ->
 			oauth2ResourceServer
 				.jwt(withDefaults())
 		);
    return http.build();
 }
 ----
@ -273,15 +292,20 @@ To this end, the DSL exposes `jwtAuthenticationConverter()`:
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
-    http
+	http
-        .authorizeExchange()
+		.authorizeExchange(exchanges ->
-            .anyExchange().authenticated()
+			exchanges
-            .and()
+				.anyExchange().authenticated()
-        .oauth2ResourceServer()
+		)
-            .jwt()
+		.oauth2ResourceServer(oauth2ResourceServer ->
-                .jwtAuthenticationConverter(grantedAuthoritiesExtractor());
+			oauth2ResourceServer
-    return http.build();
+				.jwt(jwt ->
 					jwt
 						.jwtAuthenticationConverter(grantedAuthoritiesExtractor())
 				)
 		);
 	return http.build();
 }
 Converter<Jwt, Mono<AbstractAuthenticationToken>> grantedAuthoritiesExtractor() {
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/redirect-https.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/redirect-https.adoc
@ -7,10 +7,10 @@ Spring Security can be configured to perform a redirect to https using the follo
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.redirectToHttps();
+		.redirectToHttps(withDefaults());
 	return http.build();
 }
 ----
@ -22,11 +22,13 @@ For example, if the production environment adds a header named `X-Forwarded-Prot
 [source,java]
 ----
@Bean
-SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 	http
 		// ...
-		.redirectToHttps()
+		.redirectToHttps(redirectToHttps ->
-			.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"));
+			redirectToHttps
 				.httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto"))
 		);
 	return http.build();
 }
 ----
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc
@ -52,13 +52,14 @@ public class HelloWebfluxSecurityConfig {
 	}
 	@Bean
-	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 		http
-			.authorizeExchange()
+			.authorizeExchange(exchanges ->
-				.anyExchange().authenticated()
+				exchanges
-				.and()
+					.anyExchange().authenticated()
-			.httpBasic().and()
+			)
-			.formLogin();
+			.httpBasic(withDefaults())
 			.formLogin(withDefaults());
 		return http.build();
 	}
 }
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/x509.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/x509.adoc
@ -7,14 +7,14 @@ Below is an example of a reactive x509 security configuration:
 [source,java]
 ----
@Bean
-public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
+public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) throws Exception {
-    http
+	http
-        .x509()
+		.x509(withDefaults())
-        .and()
+		.authorizeExchange(exchanges ->
-        .authorizeExchange()
+			exchanges
-            .anyExchange().permitAll();
+				.anyExchange().permitAll()
-
+		);
-    return http.build();
+	return http.build();
 }
 ----
@ -25,28 +25,28 @@ The next example demonstrates how these defaults can be overridden.
 [source,java]
 ----
@Bean
-public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
+public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) throws Exception {
-    SubjectDnX509PrincipalExtractor principalExtractor =
+	SubjectDnX509PrincipalExtractor principalExtractor =
-            new SubjectDnX509PrincipalExtractor();
+	        new SubjectDnX509PrincipalExtractor();
-
+
-    principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)");
+	principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)");
-
+
-    ReactiveAuthenticationManager authenticationManager = authentication -> {
+	ReactiveAuthenticationManager authenticationManager = authentication -> {
-        authentication.setAuthenticated("Trusted Org Unit".equals(authentication.getName()));
+		authentication.setAuthenticated("Trusted Org Unit".equals(authentication.getName()));
-        return Mono.just(authentication);
+		return Mono.just(authentication);
-    };
+	};
-
+
-    // @formatter:off
+	http
-    http
+		.x509(x509 ->
-        .x509()
+			x509
-            .principalExtractor(principalExtractor)
+				.principalExtractor(principalExtractor)
-            .authenticationManager(authenticationManager)
+				.authenticationManager(authenticationManager)
-        .and()
+		)
-            .authorizeExchange()
+		.authorizeExchange(exchanges ->
-            .anyExchange().authenticated();
+			exchanges
-    // @formatter:on
+				.anyExchange().authenticated()
-
+		);
-    return http.build();
+	return http.build();
 }
 ----
--- a/samples/boot/hellowebflux-method/src/main/java/sample/SecurityConfig.java
+++ b/samples/boot/hellowebflux-method/src/main/java/sample/SecurityConfig.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -25,6 +25,8 @@ import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * @author Rob Winch
 * @since 5.0
@ -38,10 +40,11 @@ public class SecurityConfig {
 		return http
 			// Demonstrate that method security works
 			// Best practice to use both for defense in depth
-			.authorizeExchange()
+			.authorizeExchange(exchanges ->
-				.anyExchange().permitAll()
+				exchanges
-				.and()
+					.anyExchange().permitAll()
-			.httpBasic().and()
+			)
 			.httpBasic(withDefaults())
 			.build();
 	}
--- a/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/SecurityConfig.java
+++ b/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/SecurityConfig.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -21,6 +21,8 @@ import org.springframework.security.config.annotation.web.reactive.EnableWebFlux
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * @author Rob Winch
 * @since 5.1
@ -31,12 +33,15 @@ public class SecurityConfig {
 	@Bean
 	SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 		http
-			.authorizeExchange()
+			.authorizeExchange(exchanges ->
-				.pathMatchers("/message/**").hasAuthority("SCOPE_message:read")
+				exchanges
-				.anyExchange().authenticated()
+					.pathMatchers("/message/**").hasAuthority("SCOPE_message:read")
-				.and()
+					.anyExchange().authenticated()
-			.oauth2ResourceServer()
+			)
-				.jwt();
+			.oauth2ResourceServer(oauth2ResourceServer ->
 				oauth2ResourceServer
 					.jwt(withDefaults())
 			);
 		return http.build();
 	}
 }
--- a/samples/boot/oauth2webclient-webflux/src/main/java/sample/config/SecurityConfig.java
+++ b/samples/boot/oauth2webclient-webflux/src/main/java/sample/config/SecurityConfig.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -23,6 +23,8 @@ import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * @author Rob Winch
 */
@ -32,15 +34,14 @@ public class SecurityConfig {
 	@Bean
 	SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
 		http
-			.authorizeExchange()
+			.authorizeExchange(exchanges ->
-				.pathMatchers("/", "/public/**").permitAll()
+				exchanges
-				.anyExchange().authenticated()
+					.pathMatchers("/", "/public/**").permitAll()
-				.and()
+					.anyExchange().authenticated()
-			.oauth2Login()
+			)
-				.and()
+			.oauth2Login(withDefaults())
-			.formLogin()
+			.formLogin(withDefaults())
-				.and()
+			.oauth2Client(withDefaults());
 			.oauth2Client();
 		return http.build();
 	}
--- a/samples/boot/webflux-form/src/main/java/sample/WebfluxFormSecurityConfig.java
+++ b/samples/boot/webflux-form/src/main/java/sample/WebfluxFormSecurityConfig.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -24,6 +24,8 @@ import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * @author Rob Winch
 * @since 5.0
@ -42,15 +44,18 @@ public class WebfluxFormSecurityConfig {
 	}
 	@Bean
-	SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
+	SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {
 		http
-			.authorizeExchange()
+			.authorizeExchange(exchanges ->
-				.pathMatchers("/login").permitAll()
+				exchanges
-				.anyExchange().authenticated()
+					.pathMatchers("/login").permitAll()
-				.and()
+					.anyExchange().authenticated()
-			.httpBasic().and()
+			)
-			.formLogin()
+			.httpBasic(withDefaults())
-				.loginPage("/login");
+			.formLogin(formLogin ->
 				formLogin
 					.loginPage("/login")
 			);
 		return http.build();
 	}
 }
--- a/samples/boot/webflux-x509/src/main/java/sample/WebfluxX509Application.java
+++ b/samples/boot/webflux-x509/src/main/java/sample/WebfluxX509Application.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -25,6 +25,8 @@ import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import static org.springframework.security.config.Customizer.withDefaults;
 /**
 * @author Alexey Nesterov
 * @since 5.2
@ -40,13 +42,14 @@ public class WebfluxX509Application {
 	}
 	@Bean
-	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
+	public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) throws Exception {
 		// @formatter:off
 		http
-			.x509()
+			.x509(withDefaults())
-				.and()
+			.authorizeExchange(exchanges ->
-				.authorizeExchange()
+				exchanges
-				.anyExchange().authenticated();
+					.anyExchange().authenticated()
 			);
 		// @formatter:on
 		return http.build();