# 28.2 WebFlux安全

类似于Spring MVC应用，你可以通过添加`spring-boot-starter-security`依赖，保护你的WebFlux应用。默认的安全配置由`ReactiveSecurityAutoConfiguration`以及从其它地方导入的类（`WebFluxSecurityConfiguration`用于web安全，`ReactiveAuthenticationManagerConfiguration`用于认证配置，也与非web应用相关）实现的。你可以添加一个`WebFilterChainProxy`类型的bean，来彻底关掉默认的web应用安全配置（这样做不会禁用认证管理者配置或者Actuator的安全）。

为了关闭认证管理者配置，你可以添加`ReactiveUserDetailsService`或是`ReactiveAuthenticationManager`类型的bean。

访问规则可以通过添加自定义的`SecurityWebFilterChain`配置。Spring Boot提供了便捷的方法。它们可以用来覆盖执行器端点和静态资源的访问规则。`EndpointRequest`可以用来创建基于`management.endpoints.web.base-path`属性的`ServerWebExchangeMatcher`。

`PathRequest`可以用来创建常用位置上的资源的`ServerWebExchangeMatcher`。

例如，你可以添加如下代码，自定义你的安全配置：

```java
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http
        .authorizeExchange()
            .matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
            .pathMatchers("/foo", "/bar")
                .authenticated().and()
            .formLogin();
    return http.build();
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jack80342.gitbook.io/spring-boot/iv.-spring-boot-features/28.-security/28.2-webflux-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.