Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
729 views
in Technique[技术] by (71.8m points)

java - Authentication by certificate for WebFlux?

In the regular Servlet API for Spring Boot Web, there is the .x509() of the HttpSecurity configuration. But in WebFlux's ServerHttpSecurity I can't find anything similar to it.

What is the equivalent of.x509().subjectPrincipalRegex(...) in WebFlux

End goal is to get the certificate subject as the username sent to ReactiveUserDetailsService.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I don't think there is a X509 filter as there was in the previous versions of spring, so you'll have to implement your own version of it. Fortunately the handy org.springframework.security.web.server.authentication.AuthenticationWebFilter provides the pattern for the authentication flow but you'll have to extract the subject from the cert/request yourself.

The first thing you'll have to do is setup an the authentication converter to extract the subject from the cert.

public class X509AuthenticationConverter implements Function<ServerWebExchange, Mono<Authentication>> {

    @Override
    public Mono<Authentication> apply(ServerWebExchange exchange) {
        ServerHttpRequest request = exchange.getRequest();
        try {
           // extract credentials here
           Authentication authentication = ...
           return Mono.just(authentication);
        } catch (Exception e) {
           // log error here
           return Mono.empty();
        }
    }
}

Now on our config we create the filter and converter beans and set the converter into the filter.

@Bean
public X509AuthenticationConverter x509AuthenticationConverter() {
    return new X509AuthenticationConverter();
}

@Bean
public AuthenticationWebFilter x509AuthenticationWebFilter(ReactiveAuthenticationManager reactiveAuthenticationManager,
                                                          X509AuthenticationConverter x509AuthenticationConverter) {
    AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(reactiveAuthenticationManager);
    authenticationWebFilter.setAuthenticationConverter(x509AuthenticationConverter);
    return authenticationWebFilter;
}

And finally configure security

@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http, AuthenticationWebFilter x509AuthenticationWebFilter) {
    return http
            .addFilterAt(x509AuthenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION)
            //...
            .build();
}

This will work just as well with other authentication mechanisms.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...