Spring Security How to keep static resource requests out of the filter on Spring Security WebFlux Reactive Application

I understand the following on the spring security servlet application:

@Override
public void configure(WebSecurity web) throws Exception {
    web.ignoring().mvcMatchers(""/favicon.ico", "/doc.html", "/webjars/**", "/swagger-resources/**", "/**/v2/api-docs"");
}

The following requests go through the filter on spring security Reactive application:

@Bean
public SecurityWebFilterChain springSecurityFilterChain( ServerHttpSecurity http ) {

    final String[] skipSwaggerUrls = new String[] {
                    "/favicon.ico",
                    "/doc.html",
                    "/webjars/**",
                    "/swagger-resources/**",
                    "/**/v2/api-docs" };
            http.authorizeExchange()
                    .pathMatchers( skipSwaggerUrls ).permitAll()
                    .anyExchange().authenticated()
                    .and().csrf().disable()
                    .oauth2ResourceServer()
                    .bearerTokenConverter( new JwtExtractTokenAuthenticationConverter() )
                    .authenticationEntryPoint( new UserAuthenticationEntryPoint() )
                    .accessDeniedHandler( new UserAccessDeniedHandler() )
                    .jwt();

            return http.build();
    }

How to keep static resource requests out of the filter on Spring Security WebFlux Reactive Application can you help me?

Comment From: eleftherias

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

Briefly, you can specify a NegatedServerWebExchangeMatcher in your ServerHttpSecurity.securityMatcher.

Comment From: yijianguanzhu

Thanks, as you said, I have solved the problem at present, Just as follows

   @Bean
public SecurityWebFilterChain springSecurityFilterChain( ServerHttpSecurity http ) {

    final String[] skipUrls = new String[] { "/user-account/user/login" };

    final String[] skipSwaggerUrls = new String[] {
            "/favicon.ico",
            "/doc.html",
            "/webjars/**",
            "/swagger-resources/**",
            "/**/v2/api-docs" };

    JwtAuthenticationConverter authenticationConverter = new JwtAuthenticationConverter();
    authenticationConverter.setJwtGrantedAuthoritiesConverter( new JwtTokenGrantedAuthoritiesConverter() );
    ReactiveJwtAuthenticationConverterAdapter jwtAuthenticationConverter = new ReactiveJwtAuthenticationConverterAdapter( authenticationConverter );

    ServerWebExchangeMatcher pathMatchers = ServerWebExchangeMatchers
            .pathMatchers( ArrayUtils.addAll( skipUrls, skipSwaggerUrls ) );

    http.securityMatcher( new NegatedServerWebExchangeMatcher( pathMatchers ) )
            .authorizeExchange()
            .pathMatchers( "/**" ).access( new UserAuthorityReactiveAuthorizationManager() )
            .anyExchange().authenticated()
            .and().csrf().disable()
            .addFilterAfter( new AuthWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION )
            .oauth2ResourceServer()
            .bearerTokenConverter( new JwtExtractTokenAuthenticationConverter() )
            .authenticationEntryPoint( new UserAuthenticationEntryPoint() )
            .accessDeniedHandler( new UserAccessDeniedHandler() )
            .jwt()
            .jwtAuthenticationConverter( jwtAuthenticationConverter );

    return http.build();
}