๐ Table of Contents:
- Why Reactive Security?
- Spring Security + WebFlux Basics
- Dependencies for Reactive Security
- Creating a Reactive Security Configuration
- Adding JWT Support
- Custom Authentication Manager
- Securing Routes Based on Roles
- Final Thoughts
๐ 1. Why Reactive Security?
Traditional FilterChain-based security wonโt work effectively in a reactive pipeline. Spring Security for WebFlux provides a reactive security chain using non-blocking authentication, authorization, and session handling.
Benefits:
- Works with Mono/Flux pipelines
- Stateless JWT support
- Non-blocking security filters
๐งฑ 2. Spring Security + WebFlux Basics
Spring Security introduces a different model for reactive apps:
SecurityWebFilterChainreplacesHttpSecurity- Stateless by default
- Can use
ReactiveAuthenticationManager
๐ฆ 3. Dependencies for Reactive Security
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-webflux</artifactId> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.9.1</version> </dependency> |
๐งฉ 4. Creating a Reactive Security Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
package com.kscodes.springboot.reactive.security; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.web.server.SecurityWebFilterChain; @Configuration public class SecurityConfig { @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http .csrf(ServerHttpSecurity.CsrfSpec::disable) .authorizeExchange(exchanges -> exchanges .pathMatchers("/auth/**").permitAll() .anyExchange().authenticated() ) .httpBasic().disable() .formLogin().disable() .build(); } } |
๐ 5. Adding JWT Support
Token Utility
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
package com.kscodes.springboot.reactive.util; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import java.util.Date; public class JwtUtil { private static final String SECRET_KEY = "kscodesSecretKey"; public static String generateToken(String username) { return Jwts.builder() .setSubject(username) .setIssuedAt(new Date()) .setExpiration(new Date(System.currentTimeMillis() + 3600000)) // 1 hr .signWith(SignatureAlgorithm.HS256, SECRET_KEY) .compact(); } public static String extractUsername(String token) { return Jwts.parser() .setSigningKey(SECRET_KEY) .parseClaimsJws(token) .getBody() .getSubject(); } } |
๐ฎโโ๏ธ 6. Custom Authentication Manager
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
package com.kscodes.springboot.reactive.security; import com.kscodes.springboot.reactive.util.JwtUtil; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.web.server.authentication.ServerAuthenticationConverter; import org.springframework.stereotype.Component; import reactor.core.publisher.Mono; import java.util.List; @Component public class JwtAuthenticationConverter implements ServerAuthenticationConverter { @Override public Mono<Authentication> convert(org.springframework.web.server.ServerWebExchange exchange) { String token = exchange.getRequest().getHeaders().getFirst("Authorization"); if (token != null && token.startsWith("Bearer ")) { String username = JwtUtil.extractUsername(token.substring(7)); return Mono.just( new UsernamePasswordAuthenticationToken( username, null, List.of(new SimpleGrantedAuthority("ROLE_USER")) ) ); } return Mono.empty(); } } |
You can inject this converter using .authenticationManager(...) in the filter chain.
๐ 7. Securing Routes Based on Roles
|
1 2 3 4 5 6 7 8 |
.authorizeExchange(exchanges -> exchanges .pathMatchers("/auth/**").permitAll() .pathMatchers("/admin/**").hasRole("ADMIN") .anyExchange().authenticated() ) |
โ 8. Final Thoughts
Reactive Security with Spring WebFlux is a powerful way to secure APIs while staying fully non-blocking. With JWT, custom filters, and fine-grained route protection, your application will remain scalable and secure.