spring-projects
diff --git a/‎config/src/main/kotlin/org/springframework/security/config/web/server/AuthorizeExchangeDsl.kt
+135 b/‎config/src/main/kotlin/org/springframework/security/config/web/server/AuthorizeExchangeDsl.kt
+135
diff --git a/‎config/src/main/kotlin/org/springframework/security/config/web/server/ServerAnonymousDsl.kt
+61 b/‎config/src/main/kotlin/org/springframework/security/config/web/server/ServerAnonymousDsl.kt
+61
diff --git a/‎config/src/main/kotlin/org/springframework/security/config/web/server/ServerCorsDsl.kt
+49 b/‎config/src/main/kotlin/org/springframework/security/config/web/server/ServerCorsDsl.kt
+49
diff --git a/‎config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt
+59 b/‎config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt
+59
diff --git a/‎config/src/main/kotlin/org/springframework/security/config/web/server/ServerExceptionHandlingDsl.kt
+43 b/‎config/src/main/kotlin/org/springframework/security/config/web/server/ServerExceptionHandlingDsl.kt
+43
@@ -0,0 +1,135 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server
+
+import org.springframework.security.authorization.AuthenticatedReactiveAuthorizationManager
+import org.springframework.security.authorization.AuthorityReactiveAuthorizationManager
+import org.springframework.security.authorization.AuthorizationDecision
+import org.springframework.security.authorization.ReactiveAuthorizationManager
+import org.springframework.security.core.Authentication
+import org.springframework.security.web.server.authorization.AuthorizationContext
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers
+import org.springframework.security.web.util.matcher.RequestMatcher
+import reactor.core.publisher.Mono
+
+/**
+ * A Kotlin DSL to configure [ServerHttpSecurity] exchange authorization using idiomatic
+ * Kotlin code.
+ *
+ * @author Eleftheria Stein
+ * @since 5.4
+ */
+class AuthorizeExchangeDsl {
+    private val authorizationRules = mutableListOf<ExchangeAuthorizationRule>()
+
+    /**
+     * Adds an exchange authorization rule for an endpoint matching the provided
+     * matcher.
+     *
+     * @param matcher the [RequestMatcher] to match incoming requests against
+     * @param access the [ReactiveAuthorizationManager] which determines the access
+     * to the specific matcher.
+     * Some predefined shortcuts have already been created, such as
+     * [hasAnyAuthority], [hasAnyRole], [permitAll], [authenticated] and more
+     */
+    fun authorize(matcher: ServerWebExchangeMatcher = ServerWebExchangeMatchers.anyExchange(),
+                  access: ReactiveAuthorizationManager<AuthorizationContext> = authenticated) {
+        authorizationRules.add(MatcherExchangeAuthorizationRule(matcher, access))
+    }
+
+    /**
+     * Adds an exchange authorization rule for an endpoint matching the provided
+     * ant pattern.
+     *
+     * @param antPattern the ant ant pattern to match incoming requests against.
+     * @param access the [ReactiveAuthorizationManager] which determines the access
+     * to the specific matcher.
+     * Some predefined shortcuts have already been created, such as
+     * [hasAnyAuthority], [hasAnyRole], [permitAll], [authenticated] and more
+     */
+    fun authorize(antPattern: String, access: ReactiveAuthorizationManager<AuthorizationContext> = authenticated) {
+        authorizationRules.add(PatternExchangeAuthorizationRule(antPattern, access))
+    }
+
+    /**
+     * Matches any exchange.
+     */
+    val anyExchange: ServerWebExchangeMatcher = ServerWebExchangeMatchers.anyExchange()
+
+    /**
+     * Allow access for anyone.
+     */
+    val permitAll: ReactiveAuthorizationManager<AuthorizationContext> =
+            ReactiveAuthorizationManager { _: Mono<Authentication>, _: AuthorizationContext -> Mono.just(AuthorizationDecision(true)) }
+
+    /**
+     * Deny access for everyone.
+     */
+    val denyAll: ReactiveAuthorizationManager<AuthorizationContext> =
+            ReactiveAuthorizationManager { _: Mono<Authentication>, _: AuthorizationContext -> Mono.just(AuthorizationDecision(false)) }
+
+    /**
+     * Require a specific role. This is a shortcut for [hasAuthority].
+     */
+    fun hasRole(role: String): ReactiveAuthorizationManager<AuthorizationContext> =
+            AuthorityReactiveAuthorizationManager.hasRole<AuthorizationContext>(role)
+
+    /**
+     * Require any specific role. This is a shortcut for [hasAnyAuthority].
+     */
+    fun hasAnyRole(vararg roles: String): ReactiveAuthorizationManager<AuthorizationContext> =
+            AuthorityReactiveAuthorizationManager.hasAnyRole<AuthorizationContext>(*roles)
+
+    /**
+     * Require a specific authority.
+     */
+    fun hasAuthority(authority: String): ReactiveAuthorizationManager<AuthorizationContext> =
+            AuthorityReactiveAuthorizationManager.hasAuthority<AuthorizationContext>(authority)
+
+    /**
+     * Require any authority.
+     */
+    fun hasAnyAuthority(vararg authorities: String): ReactiveAuthorizationManager<AuthorizationContext> =
+            AuthorityReactiveAuthorizationManager.hasAnyAuthority<AuthorizationContext>(*authorities)
+
+    /**
+     * Require an authenticated user.
+     */
+    val authenticated: ReactiveAuthorizationManager<AuthorizationContext> =
+            AuthenticatedReactiveAuthorizationManager.authenticated<AuthorizationContext>()
+
+    internal fun get(): (ServerHttpSecurity.AuthorizeExchangeSpec) -> Unit {
+        return { requests ->
+            authorizationRules.forEach { rule ->
+                when (rule) {
+                    is MatcherExchangeAuthorizationRule -> requests.matchers(rule.matcher).access(rule.rule)
+                    is PatternExchangeAuthorizationRule -> requests.pathMatchers(rule.pattern).access(rule.rule)
+                }
+            }
+        }
+    }
+
+    private data class MatcherExchangeAuthorizationRule(val matcher: ServerWebExchangeMatcher,
+                                                        override val rule: ReactiveAuthorizationManager<AuthorizationContext>) : ExchangeAuthorizationRule(rule)
+
+    private data class PatternExchangeAuthorizationRule(val pattern: String,
+                                                        override val rule: ReactiveAuthorizationManager<AuthorizationContext>) : ExchangeAuthorizationRule(rule)
+
+    private abstract class ExchangeAuthorizationRule(open val rule: ReactiveAuthorizationManager<AuthorizationContext>)
+}
+
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server
+
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.GrantedAuthority
+import org.springframework.security.web.server.authentication.AnonymousAuthenticationWebFilter
+
+/**
+ * A Kotlin DSL to configure [ServerHttpSecurity] anonymous authentication using idiomatic
+ * Kotlin code.
+ *
+ * @author Eleftheria Stein
+ * @since 5.4
+ * @property key the key to identify tokens created for anonymous authentication
+ * @property principal the principal for [Authentication] objects of anonymous users
+ * @property authorities the [Authentication.getAuthorities] for anonymous users
+ * @property authenticationFilter the [AnonymousAuthenticationWebFilter] used to populate
+ * an anonymous user.
+ */
+class ServerAnonymousDsl {
+    var key: String? = null
+    var principal: Any? = null
+    var authorities: List<GrantedAuthority>? = null
+    var authenticationFilter: AnonymousAuthenticationWebFilter? = null
+
+    private var disabled = false
+
+    /**
+     * Disables anonymous authentication
+     */
+    fun disable() {
+        disabled = true
+    }
+
+    internal fun get(): (ServerHttpSecurity.AnonymousSpec) -> Unit {
+        return { anonymous ->
+            key?.also { anonymous.key(key) }
+            principal?.also { anonymous.principal(principal) }
+            authorities?.also { anonymous.authorities(authorities) }
+            authenticationFilter?.also { anonymous.authenticationFilter(authenticationFilter) }
+            if (disabled) {
+                anonymous.disable()
+            }
+        }
+    }
+}
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server
+
+import org.springframework.web.cors.reactive.CorsConfigurationSource
+
+/**
+ * A Kotlin DSL to configure [ServerHttpSecurity] CORS headers using idiomatic
+ * Kotlin code.
+ *
+ * @author Eleftheria Stein
+ * @since 5.4
+ * @property configurationSource the [CorsConfigurationSource] to use.
+ */
+class ServerCorsDsl {
+    var configurationSource: CorsConfigurationSource? = null
+
+    private var disabled = false
+
+    /**
+     * Disables CORS support within Spring Security.
+     */
+    fun disable() {
+        disabled = true
+    }
+
+    internal fun get(): (ServerHttpSecurity.CorsSpec) -> Unit {
+        return { cors ->
+            configurationSource?.also { cors.configurationSource(configurationSource) }
+            if (disabled) {
+                cors.disable()
+            }
+        }
+    }
+}
@@ -0,0 +1,59 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server
+
+import org.springframework.security.config.web.server.ServerHttpSecurity
+import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler
+import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
+
+/**
+ * A Kotlin DSL to configure [ServerHttpSecurity] CSRF protection using idiomatic
+ * Kotlin code.
+ *
+ * @author Eleftheria Stein
+ * @since 5.4
+ * @property accessDeniedHandler the [ServerAccessDeniedHandler] used when a CSRF token is invalid.
+ * @property csrfTokenRepository the [ServerCsrfTokenRepository] used to persist the CSRF token.
+ * @property requireCsrfProtectionMatcher the [ServerWebExchangeMatcher] used to determine when CSRF protection
+ * is enabled.
+ */
+class ServerCsrfDsl {
+    var accessDeniedHandler: ServerAccessDeniedHandler? = null
+    var csrfTokenRepository: ServerCsrfTokenRepository? = null
+    var requireCsrfProtectionMatcher: ServerWebExchangeMatcher? = null
+
+    private var disabled = false
+
+    /**
+     * Disables CSRF protection
+     */
+    fun disable() {
+        disabled = true
+    }
+
+    internal fun get(): (ServerHttpSecurity.CsrfSpec) -> Unit {
+        return { csrf ->
+            accessDeniedHandler?.also { csrf.accessDeniedHandler(accessDeniedHandler) }
+            csrfTokenRepository?.also { csrf.csrfTokenRepository(csrfTokenRepository) }
+            requireCsrfProtectionMatcher?.also { csrf.requireCsrfProtectionMatcher(requireCsrfProtectionMatcher) }
+            if (disabled) {
+                csrf.disable()
+            }
+        }
+    }
+}
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server
+
+import org.springframework.security.web.server.ServerAuthenticationEntryPoint
+import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler
+
+/**
+ * A Kotlin DSL to configure [ServerHttpSecurity] exception handling using idiomatic Kotlin
+ * code.
+ *
+ * @author Eleftheria Stein
+ * @since 5.4
+ * @property authenticationEntryPoint the [ServerAuthenticationEntryPoint] to use when
+ * the application request authentication
+ * @property accessDeniedHandler the [ServerAccessDeniedHandler] to use when an
+ * authenticated user does not hold a required authority
+ */
+class ServerExceptionHandlingDsl {
+    var authenticationEntryPoint: ServerAuthenticationEntryPoint? = null
+    var accessDeniedHandler: ServerAccessDeniedHandler? = null
+
+    internal fun get(): (ServerHttpSecurity.ExceptionHandlingSpec) -> Unit {
+        return { exceptionHandling ->
+            authenticationEntryPoint?.also { exceptionHandling.authenticationEntryPoint(authenticationEntryPoint) }
+            accessDeniedHandler?.also { exceptionHandling.accessDeniedHandler(accessDeniedHandler) }
+        }
+    }
+}