Description
Expected Behavior
Rename bearerTokenConverter (and setter) to more generic name, eg. serverAuthenticationConverter
Rename BearerTokenServerWebExchangeMatcher to more generic name eg. AuthenticationServerWebExchangeMatcher and make it public.
Then, AuthenticationServerWebExchangeMatcher can be used as a securityMatcher when configuring SecurityFilterChain and also as matcher for authentication entry point, access denied handler and CSRF protection in OAuth2ResourceServerSpec.
Current Behavior
BearerTokenServerWebExchangeMatcher is private class in OAuth2ResourceServerSpec and is used as a matcher only for authentication entry point, access denied handler and CSRF protection.
It's necessary to create custom ServerWebExchangeMatcher which is almost identical with BearerTokenServerWebExchangeMatcher.
Context
We have defined multiple SecurityFilterChains, each has security matcher based on currently used authentication method.
private SecurityWebFilterChain httpBasicSecurityFilterChain(ServerHttpSecurity http) {
http.securityMatcher(new AuthenticationServerWebExchangeMatcher(new ServerHttpBasicAuthenticationConverter()));
// some configuration
return http.build();
}
private SecurityWebFilterChain oauth2SecurityFilterChain(ServerHttpSecurity http) {
http.securityMatcher(new AuthenticationServerWebExchangeMatcher(new ServerBearerTokenAuthenticationConverter()));
// some configuration
return http.build();
}
private SecurityWebFilterChain x509SecurityFilterChain(ServerHttpSecurity http) {
http.securityMatcher(new AuthenticationServerWebExchangeMatcher(new ServerX509AuthenticationConverter(extractor)));
// some configuration
return http.build();
}