【发布时间】:2021-12-26 05:34:18
【问题描述】:
我正在使用带有 webflux 安全性的 Spring boot 2.5.6。
@EnableWebFluxSecurity
public class AdminSecurityConfig {
@Bean
public SecurityWebFilterChain securitygWebFilterChain(final ServerHttpSecurity http,
final ReactiveAuthenticationManager authManager,
final ServerSecurityContextRepository securityContextRepository,
final MyAuthenticationFailureHandler failureHandler) {
http.securityContextRepository(securityContextRepository);
return http.authorizeExchange().matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.pathMatchers(props.getSecurity().getIgnorePatterns()).permitAll()
.pathMatchers("/api/v1/service/test").hasAuthority("DEFAULT")
.anyExchange().authenticated()
.and()
.formLogin()
.loginPage("/login")
.authenticationSuccessHandler(authSuccessHandler())
.and()
.exceptionHandling()
.authenticationEntryPoint((exchange, exception) -> Mono.error(exception))
.accessDeniedHandler((exchange, exception) -> Mono.error(exception))
.and()
.build();
}
@Bean
public PasswordEncoder passwordEncoder() {
// return new BCryptPasswordEncoder();
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
@Bean
public ReactiveAuthenticationManager authenticationManager() {
final UserDetailsRepositoryReactiveAuthenticationManager authenticationManager = new UserDetailsRepositoryReactiveAuthenticationManager(
userDetailsService);
authenticationManager.setPasswordEncoder(passwordEncoder());
return authenticationManager;
}
@Bean
public ServerSecurityContextRepository securityContextRepository() {
final WebSessionServerSecurityContextRepository securityContextRepository = new WebSessionServerSecurityContextRepository();
securityContextRepository.setSpringSecurityContextAttrName("my-security-context");
return securityContextRepository;
}
}
Mono<Principal> principal = ReactiveSecurityContextHolder.getContext().map(SecurityContext::getAuthentication).cast(Principal.class);
final MyAppUserDetails user = (MyAppUserDetails) ((UsernamePasswordAuthenticationToken) principal) .getPrincipal();
在这里我可以检索登录的用户详细信息。 MyAppUserDetails 将包含用户详细信息,例如名字、姓氏、电子邮件、用户 ID、组织 ID、...。 现在,我想在用户登录后更新会话中的用户详细信息,比如更改用户名而不要求用户注销和登录。
我尝试了下面的代码,但不确定如何设置凭据并将更新的用户设置到安全上下文中,以便下一次从安全上下文获取当前用户调用将返回更新的用户。
final MyAppUserDetails appUser = new MyAppUserDetails("firstName", "lastName", "email", 1, 4);
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(appUser, ....);
ReactiveSecurityContextHolder.withAuthentication(authentication);
【问题讨论】:
-
请发布您的休息端点和请求的样子
-
下一个调用是什么意思?这些调用是如何实现的?
-
@tmarwen,更新了我的问题
-
请参阅 AuthenticationWebFilter 以获取有关其在框架内部如何工作的提示。
-
@SteveRiesenberg 获取会话 --> request.exchange().getSession();更新上下文 --> final SecurityContext context = session.getAttribute("security-context"); context.setAuthentication(token); // 这里是新的令牌。有用。为什么我们需要调用serverSecurityContextRepository.save???
标签: java spring-security spring-webflux reactivesecuritycontextholder