Spring-boot: Provide EndpointRequest for configuring WebFlux-based Security

Created on 14 Nov 2017  路  7Comments  路  Source: spring-projects/spring-boot

Using Spring Boot, SpringMVC and Spring Security I can configure the security part of my Spring Boot app as follows: 

...requestMatchers(EndpointRequest.to("status", "info"))...

Now, I'm migrating from SpringMVC to Spring WebFlux. I see that I've to use pathMatchers() instead of requestMatchers from Spring Security. However, EndpointRequest is depending on HttpServletRequest (and thus on Spring MVC).
In https://stackoverflow.com/questions/47287312/spring-security-with-webflux-how-to-migrate-requestmatchersendpointrequest-to#comment-81531115 @bclozel suggests to open an issue.

enhancement
Source
picture juergenzimmermann

Most helpful comment

I don't think it can be dangerous so to speak. Even if the name is the same, one gives you a RequestMatcher and the reactive on would provide a ServerWebExchangeMatcher.

picture mbhave on 9 Jan 2018
👍2

All 7 comments

Indeed we'll need a ServerWebExchangeMatcher version and to probably rename EndpointRequest to EndpointServletRequest.

philwebb picture philwebb on 16 Nov 2017

See https://jira.spring.io/browse/SPR-16298

mbhave picture mbhave on 13 Dec 2017

Looks like SPR-16298 has been marked as resolved.

philwebb picture philwebb on 8 Jan 2018
👍1

I guess we're going to need to make a ServerWebExchangeMatcher for this so we can do something like:

public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        return http.authorizeExchange().matchers(ReactiveEndpointRequest.to(...)

It's a bit annoying that we'll probably two different classes that virtually do the same thing. Perhaps we should introduce a servlet and reactive package and just use the same names.

philwebb picture philwebb on 8 Jan 2018

yeah, I'm not a fan of introducing ReactiveEndpointRequest and ServletEndpointRequest . Separate packages with the same name sounds better to me.

mbhave picture mbhave on 9 Jan 2018

Isn't that a bit dangerous if the contract is the same? You may end up importing the wrong class.

snicoll picture snicoll on 9 Jan 2018

I don't think it can be dangerous so to speak. Even if the name is the same, one gives you a RequestMatcher and the reactive on would provide a ServerWebExchangeMatcher.

mbhave picture mbhave on 9 Jan 2018
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

izeye picture izeye  路  3Comments
alimate picture alimate  路  3Comments
wilkinsona picture wilkinsona  路  3Comments
prasenjit-net picture prasenjit-net  路  3Comments
snicoll picture snicoll  路  3Comments