java - 将 Spring Security AbstractAuthenticationProcessingFilter 迁移到 WebFlux
问题描述
我正在更新一个旧应用程序以使用 WebFlux,但是在使用 Spring Security 处理 JWT 验证时我有点迷失了。
现有代码(适用于标准 Spring Web)如下所示:
(验证 Firebase 令牌)
public class FirebaseAuthenticationTokenFilter extends AbstractAuthenticationProcessingFilter {
private static final String TOKEN_HEADER = "X-Firebase-Auth";
public FirebaseAuthenticationTokenFilter() {
super("/v1/**");
}
@Override
public Authentication attemptAuthentication(
final HttpServletRequest request, final HttpServletResponse response) {
for (final Enumeration<?> e = request.getHeaderNames(); e.hasMoreElements(); ) {
final String nextHeaderName = (String) e.nextElement();
final String headerValue = request.getHeader(nextHeaderName);
}
final String authToken = request.getHeader(TOKEN_HEADER);
if (Strings.isNullOrEmpty(authToken)) {
throw new RuntimeException("Invaild auth token");
}
return getAuthenticationManager().authenticate(new FirebaseAuthenticationToken(authToken));
}
但是,当切换到 WebFlux 时,我们会丢失HttpServletRequest和HttpServletResponse. 有一个 GitHub 问题,表明有另一种方法/修复https://github.com/spring-projects/spring-security/issues/5328但是通过它我无法确定实际更改的内容这项工作。
Spring Security 文档虽然很棒,但并没有真正解释如何处理用例。
关于如何进行的任何提示?
解决方案
最后到达那里:
首先需要像以前一样使用自定义过滤器更新过滤器链
@Configuration
public class SecurityConfig {
private final FirebaseAuth firebaseAuth;
public SecurityConfig(final FirebaseAuth firebaseAuth) {
this.firebaseAuth = firebaseAuth;
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(final ServerHttpSecurity http) {
http.authorizeExchange()
.and()
.authorizeExchange()
.pathMatchers("/v1/**")
.authenticated()
.and()
.addFilterAt(firebaseAuthenticationFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
.csrf()
.disable();
return http.build();
}
private AuthenticationWebFilter firebaseAuthenticationFilter() {
final AuthenticationWebFilter webFilter =
new AuthenticationWebFilter(new BearerTokenReactiveAuthenticationManager());
webFilter.setServerAuthenticationConverter(new FirebaseAuthenticationConverter(firebaseAuth));
webFilter.setRequiresAuthenticationMatcher(ServerWebExchangeMatchers.pathMatchers("/v1/**"));
return webFilter;
}
}
该过程的主要工作是FirebaseAuthenticationConverter我针对 Firebase 验证传入的 JWT,并针对它执行一些标准逻辑。
@Slf4j
@Component
@RequiredArgsConstructor
public class FirebaseAuthenticationConverter implements ServerAuthenticationConverter {
private static final String BEARER = "Bearer ";
private static final Predicate<String> matchBearerLength =
authValue -> authValue.length() > BEARER.length();
private static final Function<String, Mono<String>> isolateBearerValue =
authValue -> Mono.justOrEmpty(authValue.substring(BEARER.length()));
private final FirebaseAuth firebaseAuth;
private Mono<FirebaseToken> verifyToken(final String unverifiedToken) {
try {
final ApiFuture<FirebaseToken> task = firebaseAuth.verifyIdTokenAsync(unverifiedToken);
return Mono.justOrEmpty(task.get());
} catch (final Exception e) {
throw new SessionAuthenticationException(e.getMessage());
}
}
private Mono<FirebaseUserDetails> buildUserDetails(final FirebaseToken firebaseToken) {
return Mono.just(
FirebaseUserDetails.builder()
.email(firebaseToken.getEmail())
.picture(firebaseToken.getPicture())
.userId(firebaseToken.getUid())
.username(firebaseToken.getName())
.build());
}
private Mono<Authentication> create(final FirebaseUserDetails userDetails) {
return Mono.justOrEmpty(
new UsernamePasswordAuthenticationToken(
userDetails.getEmail(), null, userDetails.getAuthorities()));
}
@Override
public Mono<Authentication> convert(final ServerWebExchange exchange) {
return Mono.justOrEmpty(exchange)
.flatMap(AuthorizationHeaderPayload::extract)
.filter(matchBearerLength)
.flatMap(isolateBearerValue)
.flatMap(this::verifyToken)
.flatMap(this::buildUserDetails)
.flatMap(this::create);
}
}
推荐阅读
- text - Power BI:确认三列的文本为="yes"
- javascript - 拆分字符串中未定义
- python - 基于python中的文件扩展名以编程方式确定编程语言
- azure-devops - 如何在 MSBuild 任务中指定“发布”而不是调试?
- scala - IPv6ToBigInteger
- flutter - 在登录/注册时重新触发 FutureBuilder
- c++ - 为 Visual Studio 安装 Matplotlib-cpp
- typescript - 从泛型参数扩展的打字稿
- python - scipy.stats.norm.pdf 和手动绘制高斯之间的区别
- r - R:如何从多个栅格创建概率栅格