使用 spring-security 和响应式 spring 进行自定义身份验证

【问题标题】:Custom authentication with spring-security and reactive spring使用 spring-security 和响应式 spring 进行自定义身份验证
【发布时间】:2019-01-06 23:00:46
【问题描述】:

我有一个自定义身份验证方案。我有一个 REST 端点,它在 http uri 路径中有 userId,在 http 标头中有 token。我想检查此类请求是否由具有有效令牌的有效用户执行。用户和令牌存储在 mongo 集合中。

我不知道我应该在哪个类中授权用户。

我的SecurityConfig

@EnableWebFluxSecurity
class SecurityConfig {

  @Bean
  fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {

    val build = http
        .httpBasic().disable()
        .formLogin().disable()
        .csrf().disable()
        .logout().disable()
        .authenticationManager(CustomReactiveAuthenticationManager())
        .securityContextRepository(CustomServerSecurityContextRepository())
        .authorizeExchange().pathMatchers("/api/measurement/**").hasAuthority("ROLE_USER")
        .anyExchange().permitAll().and()

    return build.build()
  }

  @Bean
  fun userDetailsService(): MapReactiveUserDetailsService {
    val user = User.withDefaultPasswordEncoder()
        .username("sampleDeviceIdV1")
        .password("foo")
        .roles("USER")
        .build()

    return MapReactiveUserDetailsService(user)
  }
}

我的ServerSecurityContextRepository

class CustomServerSecurityContextRepository : ServerSecurityContextRepository {

  override fun load(exchange: ServerWebExchange): Mono<SecurityContext> {
    val authHeader = exchange.request.headers.getFirst(HttpHeaders.AUTHORIZATION)
    val path = exchange.request.uri.path


    return if (path.startsWith("/api/measurement/") && authHeader != null && authHeader.startsWith(prefix = "Bearer ")) {
      val deviceId = path.drop(17)

      val authToken = authHeader.drop(7)
      val auth = UsernamePasswordAuthenticationToken(deviceId, authToken)
      Mono.just(SecurityContextImpl(auth))
    } else {
      Mono.empty()
    }
  }

  override fun save(exchange: ServerWebExchange?, context: SecurityContext?): Mono<Void> {
    return Mono.empty()
  }
}

出现两个问题:

  1. ServerSecurityContextRepository 是从交易所获取用户名和令牌的好地方 - 还是有更好的地方来做?

  2. 我应该在哪里执行身份验证(根据 mongo 集合检查令牌和用户名)? 我的自定义 AuthenticationManager 不会在任何地方被调用。我应该在ServerSecurityContextRepository 内执行所有操作还是在ReactiveAuthenticationManager 内执行用户和令牌验证?或者其他班级可能更合适?

【问题讨论】:

    标签: spring-boot spring-security kotlin spring-webflux


    【解决方案1】:

    事实证明,网络上的一些教程是完全错误的。

    我已经设法使用以下代码配置了所有内容:

    class DeviceAuthenticationConverter : Function<ServerWebExchange, Mono<Authentication>> {
  override fun apply(exchange: ServerWebExchange): Mono<Authentication> {
    val authHeader: String? = exchange.request.headers.getFirst(HttpHeaders.AUTHORIZATION)
    val path: String? = exchange.request.uri.path

    return when {
      isValidPath(path) && isValidHeader(authHeader) -> Mono.just(UsernamePasswordAuthenticationToken(path?.drop(17), authHeader?.drop(7)))
      else -> Mono.empty()
    }
  }

  private fun isValidPath(path: String?) = path != null && path.startsWith(API_MEASUREMENT)

  private fun isValidHeader(authHeader: String?) = authHeader != null && authHeader.startsWith(prefix = "Bearer ")

}

    和配置:

    @EnableWebFluxSecurity
class SecurityConfig {

  companion object {
    const val API_MEASUREMENT = "/api/measurement/"
    const val API_MEASUREMENT_PATH = "$API_MEASUREMENT**"
    const val DEVICE = "DEVICE"
    const val DEVICE_ID = "deviceId"
  }

  @Bean
  fun securityWebFilterChain(http: ServerHttpSecurity, authenticationManager: ReactiveAuthenticationManager) =
      http
          .httpBasic().disable()
          .formLogin().disable()
          .csrf().disable()
          .logout().disable()
          .authorizeExchange().pathMatchers(API_MEASUREMENT_PATH).hasRole(DEVICE)
          .anyExchange().permitAll().and().addFilterAt(authenticationWebFilter(authenticationManager), AUTHENTICATION).build()

  @Bean
  fun userDetailsService(tokenRepository: TokenRepository) = MongoDeviceTokenReactiveUserDetailsService(tokenRepository)

  @Bean
  fun tokenRepository(template: ReactiveMongoTemplate, passwordEncoder: PasswordEncoder) = MongoTokenRepository(template, passwordEncoder)

  @Bean
  fun tokenFacade(tokenRepository: TokenRepository) = TokenFacade(tokenRepository)

  @Bean
  fun authManager(userDetailsService: ReactiveUserDetailsService) = UserDetailsRepositoryReactiveAuthenticationManager(userDetailsService)

  private fun authenticationWebFilter(reactiveAuthenticationManager: ReactiveAuthenticationManager) =
      AuthenticationWebFilter(reactiveAuthenticationManager).apply {
        setAuthenticationConverter(DeviceAuthenticationConverter())
        setRequiresAuthenticationMatcher(
            ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, API_MEASUREMENT_PATH)
        )
      }

  @Bean
  fun passwordEncoder() = PasswordEncoderFactories.createDelegatingPasswordEncoder()
}

    【讨论】:

      猜你喜欢
      • 2018-10-09
      • 2014-04-20
      • 2014-12-13
      • 2014-07-03
      • 2016-09-05
      • 2016-08-05
      • 2020-12-05
      • 2015-04-27
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode