@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http,
                                                     ServerAccessDeniedHandler accessDeniedHandler,
                                                     ServerAuthenticationEntryPoint authenticationEntryPoint) {
    return http
        .csrf()
        .accessDeniedHandler(accessDeniedHandler)
        .and()
        .exceptionHandling()
        .authenticationEntryPoint(authenticationEntryPoint)
        .accessDeniedHandler(accessDeniedHandler)
        .and()
        .authorizeExchange()
        .pathMatchers(GET, "/test/protected").authenticated()
        .pathMatchers(POST, "/test/protected").hasRole("ADMIN")
        .anyExchange().permitAll()
        .and().build();
}
 

public static void forLogin(
        final ServerHttpSecurity http,
        final AMType amType,
        final ApplicationContext ctx) {

    ReactiveClientRegistrationRepository clientRegistrationRepository =
            ctx.getBean(ReactiveClientRegistrationRepository.class);

    ReactiveOAuth2AuthorizedClientService authorizedClientService =
            new InMemoryReactiveOAuth2AuthorizedClientService(clientRegistrationRepository);
    ServerOAuth2AuthorizedClientRepository authorizedClientRepository =
            new AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository(authorizedClientService);

    OAuth2AuthorizationRequestRedirectWebFilter authRequestRedirectFilter =
            new OAuth2AuthorizationRequestRedirectWebFilter(clientRegistrationRepository);

    AuthenticationWebFilter authenticationFilter =
            new OAuth2LoginAuthenticationWebFilter(authenticationManager(amType), authorizedClientRepository);
    authenticationFilter.setRequiresAuthenticationMatcher(
            new PathPatternParserServerWebExchangeMatcher("/login/oauth2/code/{registrationId}"));
    authenticationFilter.setServerAuthenticationConverter(
            new ServerOAuth2AuthorizationCodeAuthenticationTokenConverter(clientRegistrationRepository));
    authenticationFilter.setAuthenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler());
    authenticationFilter.setAuthenticationFailureHandler((exchange, ex) -> Mono.error(ex));
    authenticationFilter.setSecurityContextRepository(new WebSessionServerSecurityContextRepository());

    MediaTypeServerWebExchangeMatcher htmlMatcher = new MediaTypeServerWebExchangeMatcher(MediaType.TEXT_HTML);
    htmlMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));
    ServerAuthenticationEntryPoint entrypoint =
            new RedirectServerAuthenticationEntryPoint("/oauth2/authorization/" + amType.name());
    http.exceptionHandling().authenticationEntryPoint(new DelegateEntry(htmlMatcher, entrypoint).getEntryPoint());

    http.addFilterAt(authRequestRedirectFilter, SecurityWebFiltersOrder.HTTP_BASIC);
    http.addFilterAt(authenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION);
}
 

/**
 * Responsible for catching all authentication exceptions and delegating them to typical web error handlers
 * to perform the actual exception handling procedures.
 *
 * @param errorWebExceptionHandler Spring Boot's default exception handler which in turn would delegate to our
 *                                 typical error handlers.
 * @return The registered authentication entry point.
 */
@Bean
@ConditionalOnClass(name = "org.springframework.security.web.server.ServerAuthenticationEntryPoint")
public ServerAuthenticationEntryPoint authenticationEntryPoint(ErrorWebExceptionHandler errorWebExceptionHandler) {
    return errorWebExceptionHandler::handle;
}