Taking the Driver’s Seat

Spring Security is a curious feature. People need a lot of flexibility when setting up their applications. Some want to lock down sections. Others want to control every page. The login experience varies from site to site.

Certain things have to be done in a specific order, otherwise it’s impractical, or it flat out falls apart. There are a few projects that are a better testimony to dependency injection.

Spring Security has many injection points, including the insertion of custom filters.

Note: Spring WebFlux doesn’t have servlets. Therefore, there are no javax.servlet.Filter hooks. Filtering is a valuable paradigm in web applications, though. So Spring WebFlux has its version of a filter API (WebFilter). Spring Security’s WebFlux support takes full advantage of it.

Spring Security strives to register all critical filters needed to properly secure our application and make it possible to register our filters. It’s possible to swap out any of those key filters with a custom one, but that requires deliberate action. We won’t explore that because that deviates from the common path of customizing an application.

Are we tailoring our security configuration? That’s precisely what we’re going to dig into.

Writing a custom policy

The following code shows alterations to apply to SecurityConfig ...