堆栈内存溢出
  繁体   English   中英

将 Spring Security AbstractAuthenticationProcessingFilter 迁移到 WebFlux

[英]Migrating Spring Security AbstractAuthenticationProcessingFilter to WebFlux

 原文  2019-12-12 19:18:29       java/ spring/ spring-security/ spring-webflux

问题描述

我正在更新一个旧应用程序以使用 WebFlux,但是在使用 Spring Security 处理 JWT 验证时我有点迷失了。

现有代码(适用于标准 Spring Web)如下所示:

(验证 Firebase 令牌)

public class FirebaseAuthenticationTokenFilter extends AbstractAuthenticationProcessingFilter {

  private static final String TOKEN_HEADER = "X-Firebase-Auth";

  public FirebaseAuthenticationTokenFilter() {
    super("/v1/**");
  }

  @Override
  public Authentication attemptAuthentication(
      final HttpServletRequest request, final HttpServletResponse response) {

    for (final Enumeration<?> e = request.getHeaderNames(); e.hasMoreElements(); ) {
      final String nextHeaderName = (String) e.nextElement();
      final String headerValue = request.getHeader(nextHeaderName);
    }

    final String authToken = request.getHeader(TOKEN_HEADER);
    if (Strings.isNullOrEmpty(authToken)) {
      throw new RuntimeException("Invaild auth token");
    }

    return getAuthenticationManager().authenticate(new FirebaseAuthenticationToken(authToken));
  }

然而,当切换到 WebFlux 时,我们丢失了HttpServletRequestHttpServletResponse 有一个 GitHub 问题表明有一个替代方法/修复https://github.com/spring-projects/spring-security/issues/5328但是通过它我无法确定实际更改的内容这项工作。

Spring Security 文档虽然很棒,但并没有真正解释如何处理用例。

有关如何进行的任何提示?

2 个解决方案

解决方案1
 1 已采纳  2019-12-21 16:05:25

最后到达那里:

首先需要像以前一样使用自定义过滤器更新过滤器链

@Configuration
public class SecurityConfig {

  private final FirebaseAuth firebaseAuth;

  public SecurityConfig(final FirebaseAuth firebaseAuth) {

    this.firebaseAuth = firebaseAuth;
  }

  @Bean
  public SecurityWebFilterChain springSecurityFilterChain(final ServerHttpSecurity http) {

    http.authorizeExchange()
        .and()
        .authorizeExchange()
        .pathMatchers("/v1/**")
        .authenticated()
        .and()
        .addFilterAt(firebaseAuthenticationFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
        .csrf()
        .disable();

    return http.build();
  }

  private AuthenticationWebFilter firebaseAuthenticationFilter() {
    final AuthenticationWebFilter webFilter =
        new AuthenticationWebFilter(new BearerTokenReactiveAuthenticationManager());

    webFilter.setServerAuthenticationConverter(new FirebaseAuthenticationConverter(firebaseAuth));
    webFilter.setRequiresAuthenticationMatcher(ServerWebExchangeMatchers.pathMatchers("/v1/**"));

    return webFilter;
  }
}

该过程的主要工作是FirebaseAuthenticationConverter ,我在其中根据 Firebase 验证传入的 JWT,并对其执行一些标准逻辑。

@Slf4j
@Component
@RequiredArgsConstructor
public class FirebaseAuthenticationConverter implements ServerAuthenticationConverter {

  private static final String BEARER = "Bearer ";

  private static final Predicate<String> matchBearerLength =
      authValue -> authValue.length() > BEARER.length();

  private static final Function<String, Mono<String>> isolateBearerValue =
      authValue -> Mono.justOrEmpty(authValue.substring(BEARER.length()));

  private final FirebaseAuth firebaseAuth;

  private Mono<FirebaseToken> verifyToken(final String unverifiedToken) {
    try {
      final ApiFuture<FirebaseToken> task = firebaseAuth.verifyIdTokenAsync(unverifiedToken);

      return Mono.justOrEmpty(task.get());
    } catch (final Exception e) {
      throw new SessionAuthenticationException(e.getMessage());
    }
  }

  private Mono<FirebaseUserDetails> buildUserDetails(final FirebaseToken firebaseToken) {
    return Mono.just(
        FirebaseUserDetails.builder()
            .email(firebaseToken.getEmail())
            .picture(firebaseToken.getPicture())
            .userId(firebaseToken.getUid())
            .username(firebaseToken.getName())
            .build());
  }

  private Mono<Authentication> create(final FirebaseUserDetails userDetails) {
    return Mono.justOrEmpty(
        new UsernamePasswordAuthenticationToken(
            userDetails.getEmail(), null, userDetails.getAuthorities()));
  }

  @Override
  public Mono<Authentication> convert(final ServerWebExchange exchange) {
    return Mono.justOrEmpty(exchange)
        .flatMap(AuthorizationHeaderPayload::extract)
        .filter(matchBearerLength)
        .flatMap(isolateBearerValue)
        .flatMap(this::verifyToken)
        .flatMap(this::buildUserDetails)
        .flatMap(this::create);
  }
}

解决方案2
 0  2021-08-21 14:39:42

对于上一个答案,可以补充说这种方法也可以正常工作:

private Mono<FirebaseToken> verifyToken(final String unverifiedToken) {
        try {
            return Mono.just(FirebaseAuth.getInstance().verifyIdToken(unverifiedToken));
        } catch (final Exception e) {
            throw new SessionAuthenticationException(e.getMessage());
        }
    }

并且这个不提供关于不必要使用阻塞方法的警告(如get()

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Security AbstractAuthenticationProcessingFilter扩展丢失实例变量值 使用HandlerInterceptor或AbstractAuthenticationProcessingFilter进行Spring身份验证 将 spring-statemachine 工厂迁移到响应式 webflux 将Spring Security 2迁移到3时出错 带有 WebFlux 用户禁用功能的 Spring Security 5.1.5 不起作用 Spring WebFlux 安全 OAuth 2.0 用户服务 Spring 网关(webflux) - oauth 安全 - 问题 Spring webflux 安全 - 使用属性禁用 csrf 如何在反应式 webflux 中获取 spring 安全上下文 从版本 3 迁移到版本 4 后,Spring Security 无法正常工作
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM