diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java index 3d6ad7db22..18d1dfd94b 100644 --- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java @@ -27,6 +27,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.function.Function; import org.springframework.security.core.context.ReactiveSecurityContextHolder; import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest; @@ -1473,6 +1474,22 @@ public class ServerHttpSecurity { return this; } + /** + * Configures when this filter should redirect to https + * + * By default, the filter will redirect whenever an exchange's scheme is not https + * + * @param when determines when to redirect to https + * @return the {@link HttpsRedirectSpec} for additional configuration + */ + public HttpsRedirectSpec httpsRedirectWhen( + Function when) { + ServerWebExchangeMatcher matcher = e -> when.apply(e) ? + ServerWebExchangeMatcher.MatchResult.match() : + ServerWebExchangeMatcher.MatchResult.notMatch(); + return httpsRedirectWhen(matcher); + } + /** * Configures a custom HTTPS port to redirect to * diff --git a/docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc b/docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc index 03c37173c7..00a4bb5919 100644 --- a/docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc @@ -31,7 +31,7 @@ Below are the highlights of the release. ** <> ** <> ** <> -* Support for redirecting to HTTPS +* <> === Integrations diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc index c385762cb2..e29fbd9f19 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc @@ -4,6 +4,8 @@ include::webflux.adoc[leveloffset=+1] include::headers.adoc[leveloffset=+1] +include::redirect-https.adoc[leveloffset=+1] + include::oauth2/index.adoc[leveloffset=+1] include::registered-oauth2-authorized-client.adoc[leveloffset=+1] diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/redirect-https.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/redirect-https.adoc new file mode 100644 index 0000000000..5c142b6209 --- /dev/null +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/redirect-https.adoc @@ -0,0 +1,32 @@ +[[webflux-redirect-https]] += Redirect to HTTPS + +HTTPS is required to provide a secure application. +Spring Security can be configured to perform a redirect to https using the following Java Configuration: + +[source,java] +---- +@Bean +SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { + http + // ... + .redirectToHttps(); + return http.build(); +} +---- + +The configuration can easily be wrapped around an if statement to only be turned on in production. +Alternatively, it can be enabled by looking for a property about the request that only happens in production. +For example, if the production environment adds a header named `X-Forwarded-Proto` the following Java Configuration could be used: + +[source,java] +---- +@Bean +SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { + http + // ... + .redirectToHttps() + .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")); + return http.build(); +} +----