Add StaticResourceRequest for WebFlux Security

Closes gh-11040

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/StaticResourceLocation.java

+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.security;
+
+import java.util.Arrays;
+import java.util.stream.Stream;
+
+/**
+ * Common locations for static resources.
+ *
+ * @author Phillip Webb
+ */
+public enum StaticResourceLocation {
+
+	/**
+	 * Resources under {@code "/css"}.
+	 */
+	CSS("/css/**"),
+
+	/**
+	 * Resources under {@code "/js"}.
+	 */
+	JAVA_SCRIPT("/js/**"),
+
+	/**
+	 * Resources under {@code "/images"}.
+	 */
+	IMAGES("/images/**"),
+
+	/**
+	 * Resources under {@code "/webjars"}.
+	 */
+	WEB_JARS("/webjars/**"),
+
+	/**
+	 * The {@code "favicon.ico"} resource.
+	 */
+	FAVICON("/**/favicon.ico");
+
+	private String[] patterns;
+
+	StaticResourceLocation(String... patterns) {
+		this.patterns = patterns;
+	}
+
+	public Stream<String> getPatterns() {
+		return Arrays.stream(this.patterns);
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/reactive/StaticResourceRequest.java

+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.security.reactive;
+
+import java.util.EnumSet;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import reactor.core.publisher.Mono;
+
+import org.springframework.boot.autoconfigure.security.StaticResourceLocation;
+import org.springframework.security.web.server.util.matcher.OrServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
+import org.springframework.util.Assert;
+import org.springframework.web.server.ServerWebExchange;
+
+/**
+ * Factory that can be used to create a {@link ServerWebExchangeMatcher} for static resources in
+ * commonly used locations.
+ *
+ * @author Madhura Bhave
+ * @since 2.0.0
+ */
+public final class StaticResourceRequest {
+
+	private StaticResourceRequest() {
+	}
+
+	/**
+	 * Returns a matcher that includes all commonly used {@link StaticResourceLocation Locations}. The
+	 * {@link StaticResourceServerWebExchange#excluding(StaticResourceLocation, StaticResourceLocation...) excluding}
+	 * method can be used to remove specific locations if required. For example:
+	 * <pre class="code">
+	 * StaticResourceRequest.toCommonLocations().excluding(StaticResourceLocation.CSS)
+	 * </pre>
+	 * @return the configured {@link ServerWebExchangeMatcher}
+	 */
+	public static StaticResourceServerWebExchange toCommonLocations() {
+		return to(EnumSet.allOf(StaticResourceLocation.class));
+	}
+
+	/**
+	 * Returns a matcher that includes the specified {@link StaticResourceLocation Locations}. For
+	 * example: <pre class="code">
+	 * to(StaticResourceLocation.CSS, StaticResourceLocation.JAVA_SCRIPT)
+	 * </pre>
+	 * @param first the first location to include
+	 * @param rest additional locations to include
+	 * @return the configured {@link ServerWebExchangeMatcher}
+	 */
+	public static StaticResourceServerWebExchange to(StaticResourceLocation first, StaticResourceLocation... rest) {
+		return to(EnumSet.of(first, rest));
+	}
+
+	/**
+	 * Returns a matcher that includes the specified {@link StaticResourceLocation Locations}. For
+	 * example: <pre class="code">
+	 * to(locations)
+	 * </pre>
+	 * @param locations the locations to include
+	 * @return the configured {@link ServerWebExchangeMatcher}
+	 */
+	public static StaticResourceServerWebExchange to(Set<StaticResourceLocation> locations) {
+		Assert.notNull(locations, "Locations must not be null");
+		return new StaticResourceServerWebExchange(new LinkedHashSet<>(locations));
+	}
+
+	/**
+	 * The server web exchange matcher used to match against resource {@link StaticResourceLocation Locations}.
+	 */
+	public final static class StaticResourceServerWebExchange
+			implements ServerWebExchangeMatcher {
+
+		private final Set<StaticResourceLocation> locations;
+
+		private StaticResourceServerWebExchange(Set<StaticResourceLocation> locations) {
+			this.locations = locations;
+		}
+
+		/**
+		 * Return a new {@link StaticResourceServerWebExchange} based on this one but
+		 * excluding the specified locations.
+		 * @param first the first location to exclude
+		 * @param rest additional locations to exclude
+		 * @return a new {@link StaticResourceServerWebExchange}
+		 */
+		public StaticResourceServerWebExchange excluding(StaticResourceLocation first, StaticResourceLocation... rest) {
+			return excluding(EnumSet.of(first, rest));
+		}
+
+		/**
+		 * Return a new {@link StaticResourceServerWebExchange} based on this one but
+		 * excluding the specified locations.
+		 * @param locations the locations to exclude
+		 * @return a new {@link StaticResourceServerWebExchange}
+		 */
+		public StaticResourceServerWebExchange excluding(Set<StaticResourceLocation> locations) {
+			Assert.notNull(locations, "Locations must not be null");
+			Set<StaticResourceLocation> subset = new LinkedHashSet<>(this.locations);
+			subset.removeAll(locations);
+			return new StaticResourceServerWebExchange(subset);
+		}
+
+		private List<ServerWebExchangeMatcher> getDelegateMatchers() {
+			return getPatterns().map(PathPatternParserServerWebExchangeMatcher::new)
+					.collect(Collectors.toList());
+		}
+
+		private Stream<String> getPatterns() {
+			return this.locations.stream().flatMap(StaticResourceLocation::getPatterns);
+		}
+
+		@Override
+		public Mono<MatchResult> matches(ServerWebExchange exchange) {
+			OrServerWebExchangeMatcher matcher = new OrServerWebExchangeMatcher(getDelegateMatchers());
+			return matcher.matches(exchange);
+		}
+	}
+
+}
+

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/servlet/StaticResourceRequest.java

@@ -16,7 +16,6 @@
 
 package org.springframework.boot.autoconfigure.security.servlet;
 
-import java.util.Arrays;
 import java.util.EnumSet;
 import java.util.LinkedHashSet;
 import java.util.List;
@@ -26,6 +25,7 @@ import java.util.stream.Stream;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.springframework.boot.autoconfigure.security.StaticResourceLocation;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.boot.security.servlet.ApplicationContextRequestMatcher;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -47,94 +47,55 @@ public final class StaticResourceRequest {
 	}
 
 	/**
-	 * Returns a matcher that includes all commonly used {@link Location Locations}. The
-	 * {@link StaticResourceRequestMatcher#excluding(Location, Location...) excluding}
+	 * Returns a matcher that includes all commonly used {@link StaticResourceLocation Locations}. The
+	 * {@link StaticResourceRequestMatcher#excluding(StaticResourceLocation, StaticResourceLocation...) excluding}
 	 * method can be used to remove specific locations if required. For example:
 	 * <pre class="code">
-	 * StaticResourceRequest.toCommonLocations().excluding(Location.CSS)
+	 * StaticResourceRequest.toCommonLocations().excluding(StaticResourceLocation.CSS)
 	 * </pre>
 	 * @return the configured {@link RequestMatcher}
 	 */
 	public static StaticResourceRequestMatcher toCommonLocations() {
-		return to(EnumSet.allOf(Location.class));
+		return to(EnumSet.allOf(StaticResourceLocation.class));
 	}
 
 	/**
-	 * Returns a matcher that includes the specified {@link Location Locations}. For
+	 * Returns a matcher that includes the specified {@link StaticResourceLocation Locations}. For
 	 * example: <pre class="code">
-	 * StaticResourceRequest.to(Location.CSS, Location.JAVA_SCRIPT)
+	 * StaticResourceRequest.to(StaticResourceLocation.CSS, StaticResourceLocation.JAVA_SCRIPT)
 	 * </pre>
 	 * @param first the first location to include
 	 * @param rest additional locations to include
 	 * @return the configured {@link RequestMatcher}
 	 */
-	public static StaticResourceRequestMatcher to(Location first, Location... rest) {
+	public static StaticResourceRequestMatcher to(StaticResourceLocation first, StaticResourceLocation... rest) {
 		return to(EnumSet.of(first, rest));
 	}
 
 	/**
-	 * Returns a matcher that includes the specified {@link Location Locations}. For
+	 * Returns a matcher that includes the specified {@link StaticResourceLocation Locations}. For
 	 * example: <pre class="code">
 	 * StaticResourceRequest.to(locations)
 	 * </pre>
 	 * @param locations the locations to include
 	 * @return the configured {@link RequestMatcher}
 	 */
-	public static StaticResourceRequestMatcher to(Set<Location> locations) {
+	public static StaticResourceRequestMatcher to(Set<StaticResourceLocation> locations) {
 		Assert.notNull(locations, "Locations must not be null");
 		return new StaticResourceRequestMatcher(new LinkedHashSet<>(locations));
 	}
 
-	public enum Location {
-
-		/**
-		 * Resources under {@code "/css"}.
-		 */
-		CSS("/css/**"),
-
-		/**
-		 * Resources under {@code "/js"}.
-		 */
-		JAVA_SCRIPT("/js/**"),
-
-		/**
-		 * Resources under {@code "/images"}.
-		 */
-		IMAGES("/images/**"),
-
-		/**
-		 * Resources under {@code "/webjars"}.
-		 */
-		WEB_JARS("/webjars/**"),
-
-		/**
-		 * The {@code "favicon.ico"} resource.
-		 */
-		FAVICON("/**/favicon.ico");
-
-		private String[] patterns;
-
-		Location(String... patterns) {
-			this.patterns = patterns;
-		}
-
-		Stream<String> getPatterns() {
-			return Arrays.stream(this.patterns);
-		}
-
-	}
-
 	/**
-	 * The request matcher used to match against resource {@link Location Locations}.
+	 * The request matcher used to match against resource {@link StaticResourceLocation Locations}.
 	 */
 	public static final class StaticResourceRequestMatcher
 			extends ApplicationContextRequestMatcher<ServerProperties> {
 
-		private final Set<Location> locations;
+		private final Set<StaticResourceLocation> locations;
 
 		private RequestMatcher delegate;
 
-		private StaticResourceRequestMatcher(Set<Location> locations) {
+		private StaticResourceRequestMatcher(Set<StaticResourceLocation> locations) {
 			super(ServerProperties.class);
 			this.locations = locations;
 		}
@@ -146,7 +107,7 @@ public final class StaticResourceRequest {
 		 * @param rest additional locations to exclude
 		 * @return a new {@link StaticResourceRequestMatcher}
 		 */
-		public StaticResourceRequestMatcher excluding(Location first, Location... rest) {
+		public StaticResourceRequestMatcher excluding(StaticResourceLocation first, StaticResourceLocation... rest) {
 			return excluding(EnumSet.of(first, rest));
 		}
 
@@ -156,9 +117,9 @@ public final class StaticResourceRequest {
 		 * @param locations the locations to exclude
 		 * @return a new {@link StaticResourceRequestMatcher}
 		 */
-		public StaticResourceRequestMatcher excluding(Set<Location> locations) {
+		public StaticResourceRequestMatcher excluding(Set<StaticResourceLocation> locations) {
 			Assert.notNull(locations, "Locations must not be null");
-			Set<Location> subset = new LinkedHashSet<>(this.locations);
+			Set<StaticResourceLocation> subset = new LinkedHashSet<>(this.locations);
 			subset.removeAll(locations);
 			return new StaticResourceRequestMatcher(subset);
 		}
@@ -175,7 +136,7 @@ public final class StaticResourceRequest {
 		}
 
 		private Stream<String> getPatterns(ServerProperties serverProperties) {
-			return this.locations.stream().flatMap(Location::getPatterns)
+			return this.locations.stream().flatMap(StaticResourceLocation::getPatterns)
 					.map(serverProperties.getServlet()::getPath);
 		}
 

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/reactive/StaticResourceRequestTests.java

+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.security.reactive;
+
+import org.assertj.core.api.AssertDelegateTarget;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+
+import org.springframework.boot.autoconfigure.security.StaticResourceLocation;
+import org.springframework.boot.autoconfigure.web.ServerProperties;
+import org.springframework.context.support.StaticApplicationContext;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.http.server.reactive.ServerHttpResponse;
+import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
+import org.springframework.mock.http.server.reactive.MockServerHttpResponse;
+import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
+import org.springframework.web.context.support.StaticWebApplicationContext;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebHandler;
+import org.springframework.web.server.adapter.HttpWebHandlerAdapter;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+
+/**
+ * Tests for {@link StaticResourceRequest}.
+ *
+ * @author Madhura Bhave
+ */
+public class StaticResourceRequestTests {
+
+	@Rule
+	public ExpectedException thrown = ExpectedException.none();
+
+	@Test
+	public void toCommonLocationsShouldMatchCommonLocations() {
+		ServerWebExchangeMatcher matcher = StaticResourceRequest.toCommonLocations();
+		assertMatcher(matcher).matches("/css/file.css");
+		assertMatcher(matcher).matches("/js/file.js");
+		assertMatcher(matcher).matches("/images/file.css");
+		assertMatcher(matcher).matches("/webjars/file.css");
+		assertMatcher(matcher).matches("/foo/favicon.ico");
+		assertMatcher(matcher).doesNotMatch("/bar");
+	}
+
+	@Test
+	public void toCommonLocationsWithExcludeShouldNotMatchExcluded() {
+		ServerWebExchangeMatcher matcher = StaticResourceRequest.toCommonLocations()
+				.excluding(StaticResourceLocation.CSS);
+		assertMatcher(matcher).doesNotMatch("/css/file.css");
+		assertMatcher(matcher).matches("/js/file.js");
+	}
+
+	@Test
+	public void toLocationShouldMatchLocation() {
+		ServerWebExchangeMatcher matcher = StaticResourceRequest.to(StaticResourceLocation.CSS);
+		assertMatcher(matcher).matches("/css/file.css");
+		assertMatcher(matcher).doesNotMatch("/js/file.js");
+	}
+
+	@Test
+	public void toLocationsFromSetWhenSetIsNullShouldThrowException() {
+		this.thrown.expect(IllegalArgumentException.class);
+		this.thrown.expectMessage("Locations must not be null");
+		StaticResourceRequest.to(null);
+	}
+
+	@Test
+	public void excludeFromSetWhenSetIsNullShouldThrowException() {
+		this.thrown.expect(IllegalArgumentException.class);
+		this.thrown.expectMessage("Locations must not be null");
+		StaticResourceRequest.toCommonLocations().excluding(null);
+	}
+
+	private StaticResourceRequestTests.RequestMatcherAssert assertMatcher(ServerWebExchangeMatcher matcher) {
+		StaticWebApplicationContext context = new StaticWebApplicationContext();
+		context.registerBean(ServerProperties.class);
+		return assertThat(new StaticResourceRequestTests.RequestMatcherAssert(context, matcher));
+	}
+
+	private static class RequestMatcherAssert implements AssertDelegateTarget {
+
+		private final StaticApplicationContext context;
+
+		private final ServerWebExchangeMatcher matcher;
+
+		RequestMatcherAssert(StaticApplicationContext context, ServerWebExchangeMatcher matcher) {
+			this.context = context;
+			this.matcher = matcher;
+		}
+
+		void matches(String path) {
+			ServerWebExchange exchange = webHandler().createExchange(MockServerHttpRequest.get(path).build(), new MockServerHttpResponse());
+			matches(exchange);
+		}
+
+		private void matches(ServerWebExchange exchange) {
+			assertThat(this.matcher.matches(exchange).block().isMatch())
+					.as("Matches " + getRequestPath(exchange)).isTrue();
+		}
+
+		void doesNotMatch(String path) {
+			ServerWebExchange exchange = webHandler().createExchange(MockServerHttpRequest.get(path).build(), new MockServerHttpResponse());
+			doesNotMatch(exchange);
+		}
+
+		private void doesNotMatch(ServerWebExchange exchange) {
+			assertThat(this.matcher.matches(exchange).block().isMatch())
+					.as("Does not match " + getRequestPath(exchange)).isFalse();
+		}
+
+		private TestHttpWebHandlerAdapter webHandler() {
+			TestHttpWebHandlerAdapter adapter = new TestHttpWebHandlerAdapter(mock(WebHandler.class));
+			adapter.setApplicationContext(this.context);
+			return adapter;
+		}
+
+		private String getRequestPath(ServerWebExchange exchange) {
+			return exchange.getRequest().getPath().toString();
+		}
+
+	}
+
+	private static class TestHttpWebHandlerAdapter extends HttpWebHandlerAdapter {
+
+		TestHttpWebHandlerAdapter(WebHandler delegate) {
+			super(delegate);
+		}
+
+		@Override
+		protected ServerWebExchange createExchange(ServerHttpRequest request, ServerHttpResponse response) {
+			return super.createExchange(request, response);
+		}
+
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/AuthenticationManagerConfigurationTests.java

@@ -19,7 +19,6 @@ package org.springframework.boot.autoconfigure.security.servlet;
 import org.junit.Test;
 
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
-import org.springframework.boot.autoconfigure.security.servlet.AuthenticationManagerConfiguration;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
 import org.springframework.context.annotation.Bean;

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityAutoConfigurationTests.java

@@ -30,8 +30,6 @@ import org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoCon
 import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration;
 import org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration;
 import org.springframework.boot.autoconfigure.orm.jpa.test.City;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration;
 import org.springframework.boot.test.rule.OutputCapture;
 import org.springframework.boot.test.util.TestPropertyValues;
 import org.springframework.boot.web.servlet.DelegatingFilterProxyRegistrationBean;

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/SecurityFilterAutoConfigurationEarlyInitializationTests.java

@@ -28,8 +28,6 @@ import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
 import org.springframework.boot.autoconfigure.context.PropertyPlaceholderAutoConfiguration;
 import org.springframework.boot.autoconfigure.http.HttpMessageConvertersAutoConfiguration;
 import org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityFilterAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.servlet.DispatcherServletAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration;
 import org.springframework.boot.test.rule.OutputCapture;

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/servlet/StaticResourceRequestTests.java

@@ -25,8 +25,7 @@ import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
 
-import org.springframework.boot.autoconfigure.security.servlet.StaticResourceRequest;
-import org.springframework.boot.autoconfigure.security.servlet.StaticResourceRequest.Location;
+import org.springframework.boot.autoconfigure.security.StaticResourceLocation;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockServletContext;
@@ -61,14 +60,14 @@ public class StaticResourceRequestTests {
 	@Test
 	public void toCommonLocationsWithExcludeShouldNotMatchExcluded() {
 		RequestMatcher matcher = StaticResourceRequest.toCommonLocations()
-				.excluding(Location.CSS);
+				.excluding(StaticResourceLocation.CSS);
 		assertMatcher(matcher).doesNotMatch("/css/file.css");
 		assertMatcher(matcher).matches("/js/file.js");
 	}
 
 	@Test
 	public void toLocationShouldMatchLocation() {
-		RequestMatcher matcher = StaticResourceRequest.to(Location.CSS);
+		RequestMatcher matcher = StaticResourceRequest.to(StaticResourceLocation.CSS);
 		assertMatcher(matcher).matches("/css/file.css");
 		assertMatcher(matcher).doesNotMatch("/js/file.js");
 	}
@@ -77,7 +76,7 @@ public class StaticResourceRequestTests {
 	public void toLocationWhenHasServletPathShouldMatchLocation() {
 		ServerProperties serverProperties = new ServerProperties();
 		serverProperties.getServlet().setPath("/foo");
-		RequestMatcher matcher = StaticResourceRequest.to(Location.CSS);
+		RequestMatcher matcher = StaticResourceRequest.to(StaticResourceLocation.CSS);
 		assertMatcher(matcher, serverProperties).matches("/foo", "/css/file.css");
 		assertMatcher(matcher, serverProperties).doesNotMatch("/foo", "/js/file.js");
 	}
@@ -86,14 +85,14 @@ public class StaticResourceRequestTests {
 	public void toLocationsFromSetWhenSetIsNullShouldThrowException() {
 		this.thrown.expect(IllegalArgumentException.class);
 		this.thrown.expectMessage("Locations must not be null");
-		StaticResourceRequest.to((Set<Location>) null);
+		StaticResourceRequest.to((Set<StaticResourceLocation>) null);
 	}
 
 	@Test
 	public void excludeFromSetWhenSetIsNullShouldThrowException() {
 		this.thrown.expect(IllegalArgumentException.class);
 		this.thrown.expectMessage("Locations must not be null");
-		StaticResourceRequest.toCommonLocations().excluding((Set<Location>) null);
+		StaticResourceRequest.toCommonLocations().excluding((Set<StaticResourceLocation>) null);
 	}
 
 	private RequestMatcherAssert assertMatcher(RequestMatcher matcher) {

spring-boot-project/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc

@@ -2981,6 +2981,8 @@ Boot provides convenience methods that can be used to override access rules for
 endpoints and static resources. `EndpointRequest` can be used to create a `ServerWebExchangeMatcher`
 that is based on the `management.endpoints.web.base-path` property.
 
+`StaticResourceRequest` can be used to create a `ServerWebExchangeMatcher` for static resources in
+commonly used locations.
 
 
 [[boot-features-security-oauth2]]

spring-boot-samples/spring-boot-sample-secure-webflux/src/test/java/sample/secure/webflux/SampleSecureWebFluxCustomSecurityTests.java

@@ -23,6 +23,7 @@ import org.junit.runner.RunWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.actuate.autoconfigure.security.reactive.EndpointRequest;
+import org.springframework.boot.autoconfigure.security.reactive.StaticResourceRequest;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -77,6 +78,12 @@ public class SampleSecureWebFluxCustomSecurityTests {
 				.expectStatus().isOk();
 	}
 
+	@Test
+	public void staticResourceShouldBeAccessible() {
+		this.webClient.get().uri("/css/bootstrap.min.css").accept(MediaType.APPLICATION_JSON).exchange()
+				.expectStatus().isOk();
+	}
+
 	@Configuration
 	static class SecurityConfiguration {
 
@@ -93,7 +100,8 @@ public class SampleSecureWebFluxCustomSecurityTests {
 		SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
 			http.authorizeExchange().matchers(EndpointRequest.to("health", "info"))
 					.permitAll().matchers(EndpointRequest.toAnyEndpoint())
-					.hasRole("ACTUATOR").pathMatchers("/login").permitAll().anyExchange()
+					.hasRole("ACTUATOR").matchers(StaticResourceRequest.toCommonLocations()).permitAll()
+					.pathMatchers("/login").permitAll().anyExchange()
 					.authenticated().and().httpBasic();
 			return http.build();
 		}