stackoom
  简体   繁体   中英

How can i add multiple user roles to single pathMatcher/Route in Spring WebFlux Security(Reactive Spring Security) Config?

 原文  2019-08-23 21:36:49       java/ spring-security/ spring-webflux/ spring-cloud-gateway

Question

i have a route that needs to authenticated for more than one user. performing integration testing on spring cloud gateway service to test all the routes security working as expected or not. how can i add more than 1 user role to single pathMatcher/route?

Using Spring Boot 2.1.6, Spring Cloud Finchely.SR2, Spring Cloud Gateway, Spring WebFlux Security(Reactive Spring Security) 

@EnableWebFluxSecurity
public class SecurityConfig {

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

http.csrf().disable()        
           .formLogin().disable()
           .logout().disable()
           .authorizeExchange()
           .pathMatchers(prefix + "/publish/**")
           .hasRole("XYZ_ROLE") //Here i want to add more than one user role
           .anyExchange()
           .authenticated().and().httpBasic();
        }
}

2 answers

solution1
 1  2019-08-24 00:01:51

EDIT:

After looking through the spring security source code and github issues i found out that hasAnyRole and hasAnyAuthority has been implemented for spring security for webflux and is planned to be released in Spring security v5.2.0 .

As of writing current stable version is 5.1.6 but the 5.2.0 is in milestone 4 so it should be released very soon. You can use the snapshot version of 5.2.0 if needed.

The only other current option if not using the snapshot is to implement your own custom ReactiveAuthorizationManager and use the ServerHttpSecurity.AuthorizeExchangeSpec#access function.

OLD ANSWER ONLY APPLICABLE TO STANDARD SPRING SECURITY NOT WEBFLUX:

You can try out the hasAnyRole(String... roles)

solution2
 1  2019-08-26 18:30:01

after digging the rabbit hole, i found solution to Authorize for multiple roles using Reactive Spring Security. find the solution below: 

public class SecurityConfig {

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

http.csrf().disable()        
           .formLogin().disable()
           .logout().disable()
           .authorizeExchange()
                     .pathMatchers(prefix + "/publish/**").access((mono, context) -> mono
                                            .map(auth -> auth.getAuthorities().stream()

//Authorizing for multiple user roles                       
.filter(e -> (e.getAuthority().equals("ROLE_ABC") || e.getAuthority().equals("ROLE_XYZ"))) 
                                            .count() > 0)
                                            .map(AuthorizationDecision::new))

           .anyExchange()
           .authenticated().and().httpBasic();
        }
}```

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to get spring security context in reactive webflux Adding multiple Spring Security configurations based on pathMatcher Spring 3, Spring Security, LDAP, How do I add roles to LDAP? How can I solve Spring Security config Spring Security - How to change user roles dynamically? How to create typesafe user roles for Spring Security? Spring Security - How to get the roles assigned to user Spring security access with multiple roles Spring Security for single user Spring Security 5.1.5 with WebFlux user disable not working
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM