Skip to content

Spring WebFlux Reactive Security Pattern

Example: Reactive Security Configuration

java
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;

@Configuration
@EnableReactiveMethodSecurity
public class SecurityConfig {
    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        return http
            .authorizeExchange()
                .pathMatchers("/public/**").permitAll()
                .pathMatchers("/admin/**").hasRole("ADMIN")
                .anyExchange().authenticated()
            .and()
            .formLogin()
            .and()
            .httpBasic()
            .and()
            .csrf().disable()
            .build();
    }
}

Guidelines

  • Use SecurityWebFilterChain bean for configuration (no WebSecurityConfigurerAdapter in WebFlux).
  • Use @EnableReactiveMethodSecurity for method-level security.
  • Use Mono/Flux for authentication and authorization logic.
  • Prefer stateless security for APIs (JWT, OAuth2).
  • Use CSRF protection for browser-based apps; disable for APIs if not needed.
  • Store secrets and credentials securely.
  • Use reactive authentication and authorization managers for custom logic.

References

Copyright © MSG Systems Romania AI Labs