Spring Webflux API的自定义身份验证 [英] Spring webflux custom authentication for API

问题描述

我正在为Angular 5应用程序创建API.我想使用JWT进行身份验证.
我想使用Spring Security提供的功能，以便我可以轻松地使用角色.

I am creating an API for an Angular 5 application. I would like to use JWT for authentication.
I would like to use the features that are provided by spring security so I can easily work with roles.

我设法禁用基本身份验证.但是当使用http.authorizeExchange().anyExchange().authenticated();时，仍然会出现登录提示.
我只想输入403而不是提示.因此，用"thing"(是否是过滤器?)覆盖登录提示，该东西会检查Authorization标头中的令牌.

I managed to disable basic authentication. But when using http.authorizeExchange().anyExchange().authenticated(); I still get a login prompt.
I would like to just give a 403 instead of the prompt. So overriding the login prompt by a "thing"(Is it a filter?) that checks the Authorization header for the token.

我只想在将返回JWT令牌的控制器中执行的登录.但是，我应该使用哪种Spring Security Bean来检查用户凭据?我可以构建自己的服务和存储库，但是我想尽可能多地使用spring安全性提供的功能.

The login I just want to do in a controller that will return a JWT token. But what spring security bean I should use for checking user credentials? I can build my own services and repositories, but I would like to use the features provided by spring security as much as possible.

这个问题的简短版本是:
如何自定义Spring Security的身份验证?
我必须创建什么豆?
我必须在哪里放置配置? (我现在有一个SecurityWebFilterChain的豆)

The short version of this question is just:
How can I customize spring security's authentication?
What beans do I have to create?
Where do I have to put the configuration? (I now have a bean of SecurityWebFilterChain)

我可以找到的关于使用Spring Security在Webflux中进行身份验证的唯一文档是:

The only documentation I could find about authentication in webflux with spring security is this: https://docs.spring.io/spring-security/site/docs/5.0.0.BUILD-SNAPSHOT/reference/htmlsingle/#jc-webflux

推荐答案

经过大量搜索和尝试，我认为我已经找到了解决方法:

After a lot of searching and trying I think I have found the solution:

您需要包含所有配置的SecurityWebFilterChain Bean.
这是我的:

You need a bean of SecurityWebFilterChain that contains all configuration.
This is mine:

@Configuration
public class SecurityConfiguration {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private SecurityContextRepository securityContextRepository;

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        // Disable default security.
        http.httpBasic().disable();
        http.formLogin().disable();
        http.csrf().disable();
        http.logout().disable();

        // Add custom security.
        http.authenticationManager(this.authenticationManager);
        http.securityContextRepository(this.securityContextRepository);

        // Disable authentication for `/auth/**` routes.
        http.authorizeExchange().pathMatchers("/auth/**").permitAll();
        http.authorizeExchange().anyExchange().authenticated();

        return http.build();
    }
}

我已禁用httpBasic，formLogin，csrf和注销，以便可以进行自定义身份验证.

I've disabled httpBasic, formLogin, csrf and logout so I could make my custom authentication.

通过设置AuthenticationManager和SecurityContextRepository，我覆盖了默认的spring安全配置，用于检查用户是否已针对请求进行了身份验证/授权.

By setting the AuthenticationManager and SecurityContextRepository I overridden the default spring security configuration for checking if a user is authenticated/authorized for a request.

身份验证管理器:

@Component
public class AuthenticationManager implements ReactiveAuthenticationManager {

    @Override
    public Mono<Authentication> authenticate(Authentication authentication) {
        // JwtAuthenticationToken is my custom token.
        if (authentication instanceof JwtAuthenticationToken) {
            authentication.setAuthenticated(true);
        }
        return Mono.just(authentication);
    }
}

我不确定身份验证管理器的用途，但是我认为是进行最终身份验证的原因，因此在一切正常的情况下设置authentication.setAuthenticated(true);.

I am not fully sure where the authentication manager is for, but I think for doing the final authentication, so setting authentication.setAuthenticated(true); when everything is right.

SecurityContextRepository:

SecurityContextRepository:

@Component
public class SecurityContextRepository implements ServerSecurityContextRepository {

    @Override
    public Mono<Void> save(ServerWebExchange serverWebExchange, SecurityContext securityContext) {
        // Don't know yet where this is for.
        return null;
    }

    @Override
    public Mono<SecurityContext> load(ServerWebExchange serverWebExchange) {
        // JwtAuthenticationToken and GuestAuthenticationToken are custom Authentication tokens.
        Authentication authentication = (/* check if authenticated based on headers in serverWebExchange */) ? 
            new JwtAuthenticationToken(...) :
            new GuestAuthenticationToken();
        return new SecurityContextImpl(authentication);
    }
}

在负载中，我将基于serverWebExchange中的标头检查用户是否已通过身份验证.我使用 https://github.com/jwtk/jjwt .无论用户是否通过身份验证，我都会返回另一种身份验证令牌.

In the load I will check based on the headers in the serverWebExchange if the user is authenticated. I use https://github.com/jwtk/jjwt. I return a different kind of authentication token if the user is authenticated or not.

这篇关于Spring Webflux API的自定义身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！