Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
412 views
in Technique[技术] by (71.8m points)

spring security - EnableReactiveMethodSecurity for a reactive kotlin application with coroutines

Assuming I have a spring-boot application (2.4.1) written in Kotlin with using coroutines for reactiveness. I consciously avoided using the Reactor's Mono/Flux in favor of coroutines with suspended functions. I need to set up Method Security from Spring Security in order to use @PreAuthorized annotation. Here is my controller:

@RestController
@CrossOrigin(origins = arrayOf("*"))
class SearchController(private val searchService: SearchService) {

    @PreAuthorize("hasRole('SOME_ROLE')")
    @PostMapping("/v3/global-entities/{globalEntityId}/something")
    suspend fun something(
        @PathVariable globalEntityId: String,
        @RequestBody @Valid something: Something
    ): SomethingCollection =
        searchService.findSomething(globalEntityId, something)
}

and Spring Security configuration:

@Configuration
@EnableReactiveMethodSecurity
@EnableWebFluxSecurity
class SecurityConfiguration {
    companion object {
        val UNPROTECTED_ENDPOINTS = arrayOf("/version", "/health", "/metrics")
    }

    @Bean
    fun springSecurityFilterChain(
        http: ServerHttpSecurity,
        securityContextRepository: ServerSecurityContextRepository
    ): SecurityWebFilterChain {
        return http.securityContextRepository(securityContextRepository)
            .csrf().disable()
            .httpBasic().disable()
            .authorizeExchange()
            .pathMatchers(HttpMethod.GET, *UNPROTECTED_ENDPOINTS).permitAll()
            .anyExchange().authenticated()
            .and()
            .exceptionHandling().accessDeniedHandler(accessDeniedHandler())
            .and()
            .build()
    }
}

When I try to test the endpoint I get following error:

java.lang.IllegalStateException: The returnType class java.lang.Object on public java.lang.Object com....SearchController.something(java.lang.String,com...Something,kotlin.coroutines.Continuation) must return an instance of org.reactivestreams.Publisher (i.e. Mono / Flux) in order to support Reactor Context
    at org.springframework.util.Assert.state(Assert.java:97) ~[spring-core-5.3.2.jar:5.3.2]
    Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 

Any recommendations on how to workaround it?

PS it seems to be a known limitation please vote on the https://github.com/spring-projects/spring-security/issues/8143 to get it fixed by spring guys.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
等待大神答复

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...