Support nested builder in DSL for reactive apps

Fixes: gh-7107

Author: eleftherias

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -92,6 +92,39 @@ public void antMatchersWhenPatternsThenAnyMethod() {
 			.expectStatus().isUnauthorized();
 	}
 
+	@Test
+	public void antMatchersWhenPatternsInLambdaThenAnyMethod() throws Exception {
+		this.http
+			.csrf(ServerHttpSecurity.CsrfSpec::disable)
+			.authorizeExchange(exchanges ->
+				exchanges
+					.pathMatchers("/a", "/b").denyAll()
+					.anyExchange().permitAll()
+			);
+
+		WebTestClient client = buildClient();
+
+		client.get()
+			.uri("/a")
+			.exchange()
+			.expectStatus().isUnauthorized();
+
+		client.get()
+			.uri("/b")
+			.exchange()
+			.expectStatus().isUnauthorized();
+
+		client.post()
+			.uri("/a")
+			.exchange()
+			.expectStatus().isUnauthorized();
+
+		client.post()
+			.uri("/b")
+			.exchange()
+			.expectStatus().isUnauthorized();
+	}
+
 	@Test(expected = IllegalStateException.class)
 	public void antMatchersWhenNoAccessAndAnotherMatcherThenThrowsException() {
 		this.http
@@ -117,6 +150,16 @@ public void buildWhenMatcherDefinedWithNoAccessThenThrowsException() {
 		this.http.build();
 	}
 
+	@Test(expected = IllegalStateException.class)
+	public void buildWhenMatcherDefinedWithNoAccessInLambdaThenThrowsException() throws Exception {
+		this.http
+			.authorizeExchange(exchanges ->
+				exchanges
+					.pathMatchers("/incomplete")
+			);
+		this.http.build();
+	}
+
 	private WebTestClient buildClient() {
 		return WebTestClientBuilder.bindToWebFilters(this.http.build()).build();
 	}

config/src/test/java/org/springframework/security/config/web/server/AuthorizeExchangeSpecTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -74,6 +74,14 @@ public void corsWhenEnabledThenAccessControlAllowOriginAndSecurityHeaders() {
 		assertHeaders();
 	}
 
+	@Test
+	public void corsWhenEnabledInLambdaThenAccessControlAllowOriginAndSecurityHeaders() throws Exception {
+		this.http.cors(cors -> cors.configurationSource(this.source));
+		this.expectedHeaders.set("Access-Control-Allow-Origin", "*");
+		this.expectedHeaders.set("X-Frame-Options", "DENY");
+		assertHeaders();
+	}
+
 	@Test
 	public void corsWhenCorsConfigurationSourceBeanThenAccessControlAllowOriginAndSecurityHeaders() {
 		when(this.context.getBeanNamesForType(any(ResolvableType.class))).thenReturn(new String[] {"source"}, new String[0]);

config/src/test/java/org/springframework/security/config/web/server/CorsSpecTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,8 @@
 import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
 import org.springframework.test.web.reactive.server.WebTestClient;
 
+import static org.springframework.security.config.Customizer.withDefaults;
+
 /**
  * @author Denys Ivano
  * @since 5.0.5
@@ -56,6 +58,29 @@ public void defaultAuthenticationEntryPoint() {
 			.expectHeader().valueMatches("WWW-Authenticate", "Basic.*");
 	}
 
+	@Test
+	public void requestWhenExceptionHandlingWithDefaultsInLambdaThenDefaultAuthenticationEntryPointUsed()
+			throws Exception {
+		SecurityWebFilterChain securityWebFilter = this.http
+			.authorizeExchange(exchanges ->
+				exchanges
+					.anyExchange().authenticated()
+			)
+			.exceptionHandling(withDefaults())
+			.build();
+
+		WebTestClient client = WebTestClientBuilder
+			.bindToWebFilters(securityWebFilter)
+			.build();
+
+		client
+			.get()
+			.uri("/test")
+			.exchange()
+			.expectStatus().isUnauthorized()
+			.expectHeader().valueMatches("WWW-Authenticate", "Basic.*");
+	}
+
 	@Test
 	public void customAuthenticationEntryPoint() {
 		SecurityWebFilterChain securityWebFilter = this.http
@@ -80,6 +105,31 @@ public void customAuthenticationEntryPoint() {
 			.expectHeader().valueMatches("Location", ".*");
 	}
 
+	@Test
+	public void requestWhenCustomAuthenticationEntryPointInLambdaThenCustomAuthenticationEntryPointUsed() throws Exception {
+		SecurityWebFilterChain securityWebFilter = this.http
+				.authorizeExchange(exchanges ->
+					exchanges
+						.anyExchange().authenticated()
+				)
+				.exceptionHandling(exceptionHandling ->
+					exceptionHandling
+						.authenticationEntryPoint(redirectServerAuthenticationEntryPoint("/auth"))
+				)
+				.build();
+
+		WebTestClient client = WebTestClientBuilder
+			.bindToWebFilters(securityWebFilter)
+			.build();
+
+		client
+			.get()
+			.uri("/test")
+			.exchange()
+			.expectStatus().isFound()
+			.expectHeader().valueMatches("Location", ".*");
+	}
+
 	@Test
 	public void defaultAccessDeniedHandler() {
 		SecurityWebFilterChain securityWebFilter = this.http
@@ -104,6 +154,30 @@ public void defaultAccessDeniedHandler() {
 			.expectStatus().isForbidden();
 	}
 
+	@Test
+	public void requestWhenExceptionHandlingWithDefaultsInLambdaThenDefaultAccessDeniedHandlerUsed()
+			throws Exception {
+		SecurityWebFilterChain securityWebFilter = this.http
+				.httpBasic(withDefaults())
+				.authorizeExchange(exchanges ->
+					exchanges
+						.anyExchange().hasRole("ADMIN")
+				)
+				.exceptionHandling(withDefaults())
+				.build();
+
+		WebTestClient client = WebTestClientBuilder
+				.bindToWebFilters(securityWebFilter)
+				.build();
+
+		client
+				.get()
+				.uri("/admin")
+				.headers(headers -> headers.setBasicAuth("user", "password"))
+				.exchange()
+				.expectStatus().isForbidden();
+	}
+
 	@Test
 	public void customAccessDeniedHandler() {
 		SecurityWebFilterChain securityWebFilter = this.http
@@ -129,6 +203,33 @@ public void customAccessDeniedHandler() {
 			.expectStatus().isBadRequest();
 	}
 
+	@Test
+	public void requestWhenCustomAccessDeniedHandlerInLambdaThenCustomAccessDeniedHandlerUsed()
+			throws Exception {
+		SecurityWebFilterChain securityWebFilter = this.http
+				.httpBasic(withDefaults())
+				.authorizeExchange(exchanges ->
+						exchanges
+								.anyExchange().hasRole("ADMIN")
+				)
+				.exceptionHandling(exceptionHandling ->
+					exceptionHandling
+						.accessDeniedHandler(httpStatusServerAccessDeniedHandler(HttpStatus.BAD_REQUEST))
+				)
+				.build();
+
+		WebTestClient client = WebTestClientBuilder
+				.bindToWebFilters(securityWebFilter)
+				.build();
+
+		client
+				.get()
+				.uri("/admin")
+				.headers(headers -> headers.setBasicAuth("user", "password"))
+				.exchange()
+				.expectStatus().isBadRequest();
+	}
+
 	private ServerAuthenticationEntryPoint redirectServerAuthenticationEntryPoint(String location) {
 		return new RedirectServerAuthenticationEntryPoint(location);
 	}

config/src/test/java/org/springframework/security/config/web/server/ExceptionHandlingSpecTests.java

@@ -46,6 +46,7 @@
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.springframework.security.config.Customizer.withDefaults;
 
 /**
  * @author Rob Winch
@@ -96,6 +97,49 @@ public void defaultLoginPage() {
 			.assertLogout();
 	}
 
+	@Test
+	public void formLoginWhenDefaultsInLambdaThenCreatesDefaultLoginPage() throws Exception {
+		SecurityWebFilterChain securityWebFilter = this.http
+			.authorizeExchange(exchanges ->
+				exchanges
+					.anyExchange().authenticated()
+			)
+			.formLogin(withDefaults())
+			.build();
+
+		WebTestClient webTestClient = WebTestClientBuilder
+			.bindToWebFilters(securityWebFilter)
+			.build();
+
+		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
+			.webTestClientSetup(webTestClient)
+			.build();
+
+		DefaultLoginPage loginPage = HomePage.to(driver, DefaultLoginPage.class)
+			.assertAt();
+
+		loginPage = loginPage.loginForm()
+			.username("user")
+			.password("invalid")
+			.submit(DefaultLoginPage.class)
+			.assertError();
+
+		HomePage homePage = loginPage.loginForm()
+			.username("user")
+			.password("password")
+			.submit(HomePage.class);
+
+		homePage.assertAt();
+
+		loginPage = DefaultLogoutPage.to(driver)
+			.assertAt()
+			.logout();
+
+		loginPage
+			.assertAt()
+			.assertLogout();
+	}
+
 	@Test
 	public void customLoginPage() {
 		SecurityWebFilterChain securityWebFilter = this.http
@@ -128,6 +172,40 @@ public void customLoginPage() {
 		homePage.assertAt();
 	}
 
+	@Test
+	public void formLoginWhenCustomLoginPageInLambdaThenUsed() throws Exception {
+		SecurityWebFilterChain securityWebFilter = this.http
+			.authorizeExchange(exchanges ->
+				exchanges
+					.pathMatchers("/login").permitAll()
+					.anyExchange().authenticated()
+			)
+			.formLogin(formLogin ->
+				formLogin
+					.loginPage("/login")
+			)
+			.build();
+
+		WebTestClient webTestClient = WebTestClient
+			.bindToController(new CustomLoginPageController(), new WebTestClientBuilder.Http200RestController())
+			.webFilter(new WebFilterChainProxy(securityWebFilter))
+			.build();
+
+		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
+			.webTestClientSetup(webTestClient)
+			.build();
+
+		CustomLoginPage loginPage = HomePage.to(driver, CustomLoginPage.class)
+			.assertAt();
+
+		HomePage homePage = loginPage.loginForm()
+			.username("user")
+			.password("password")
+			.submit(HomePage.class);
+
+		homePage.assertAt();
+	}
+
 	@Test
 	public void authenticationSuccess() {
 		SecurityWebFilterChain securityWebFilter = this.http