Reactive-Spring-Security-5.1.3.RELEASE，多重授权 [英] Reactive-Spring-Security-5.1.3.RELEASE, multiple authorizations

问题描述

我们有一些端点是安全的，在访问它们之前，我们正在验证 jws 是否正确.为了做到这一点，我们定义了一个 SecurityContext 来实际持久化 Auth pojo 并在下游将其操作到控制器中.SecurityWebFilterChain 配置如下所示:

We have some endpoints, that are secured and before to access them we're verifying that the jws is correctly. In order to do that, we've defined a SecurityContext that actually persist the Auth pojo and to manipulate it downstream into the controller. The SecurityWebFilterChain config looks like that:

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
    return http.csrf().disable()
            .formLogin().disable()
            .logout().disable()
            .httpBasic().disable()
            .securityContextRepository(securityContext)
            .authorizeExchange()
            .anyExchange().authenticated()
            .and()
            .build();
}

调用是内部进行的，我们只是验证了 jws 令牌.

The calls were internally made, and we just verified the jws token.

现在一些外部客户端需要与我们集成，我们需要验证一个 jwe 令牌.问题是，我们需要以某种方式告诉 spring-security 验证现有端点 jws 和新端点 jwe.

Right now some external clients need to integrate with us, and we need to verify a jwe token. The thing is, that somehow we need to tell spring-security to validate for the existent endpoints the jws and for the new one the jwe.

我尝试指定多个安全匹配器，但失败了:(.你还有其他建议吗?

I tried by specifying multiple security matchers but it failed :( . Do you have any other suggestions ?

推荐答案

您可以公开多个 bean.我建议指定一个订单:

You can expose more than one bean. I recommend specifying an order:

@Bean
@Order(1)
public SecurityWebFilterChain first(ServerHttpSecurity http) {
    http
        .securityMatcher(...)
        ...

    return http.build();
}

@Bean
@Order(2)
public SecurityWebFilterChain second(ServerHttpSecurity http) {
   http
       .securityMatcher(...)
       ...

   return http.build();
}

附带说明一下，Spring Security 确实提供了对响应式验证 JWS 令牌的支持，并且您可以通过使用它来删除一些样板.

As a side note, Spring Security does ship with support for verifying JWS tokens reactively, and you might be able to remove some boilerplate by using it.

这篇关于Reactive-Spring-Security-5.1.3.RELEASE，多重授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！