用于 API 的 Spring webflux 自定义身份验证 [英] Spring webflux custom authentication for API

问题描述

我正在为 Angular 5 应用程序创建 API.我想使用 JWT 进行身份验证.
我想使用 spring security 提供的功能，以便我可以轻松地处理角色.

I am creating an API for an Angular 5 application. I would like to use JWT for authentication.
I would like to use the features that are provided by spring security so I can easily work with roles.

我设法禁用了基本身份验证.但是当使用 http.authorizeExchange().anyExchange().authenticated(); 时，我仍然收到登录提示.
我只想给出 403 而不是提示.因此，通过检查令牌的 Authorization 标头的事物"(它是过滤器吗?)覆盖登录提示.

I managed to disable basic authentication. But when using http.authorizeExchange().anyExchange().authenticated(); I still get a login prompt.
I would like to just give a 403 instead of the prompt. So overriding the login prompt by a "thing"(Is it a filter?) that checks the Authorization header for the token.

我只想在将返回 JWT 令牌的控制器中进行的登录.但是我应该使用什么 spring 安全 bean 来检查用户凭据?我可以构建自己的服务和存储库，但我想尽可能地使用 spring security 提供的功能.

The login I just want to do in a controller that will return a JWT token. But what spring security bean I should use for checking user credentials? I can build my own services and repositories, but I would like to use the features provided by spring security as much as possible.

这个问题的简短版本是:
如何自定义 Spring Security 的身份验证?
我必须创建哪些 bean?
我必须把配置放在哪里?(我现在有一个 SecurityWebFilterChain 的 bean)

The short version of this question is just:
How can I customize spring security's authentication?
What beans do I have to create?
Where do I have to put the configuration? (I now have a bean of SecurityWebFilterChain)

我能找到的关于 webflux 中使用 spring 安全性进行身份验证的唯一文档是:https://docs.spring.io/spring-security/site/docs/5.0.0.BUILD-SNAPSHOT/reference/htmlsingle/#jc-webflux

The only documentation I could find about authentication in webflux with spring security is this: https://docs.spring.io/spring-security/site/docs/5.0.0.BUILD-SNAPSHOT/reference/htmlsingle/#jc-webflux

推荐答案

经过大量的搜索和尝试，我想我已经找到了解决方案:

After a lot of searching and trying I think I have found the solution:

您需要一个包含所有配置的 SecurityWebFilterChain bean.
这是我的:

You need a bean of SecurityWebFilterChain that contains all configuration.
This is mine:

@Configuration
public class SecurityConfiguration {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private SecurityContextRepository securityContextRepository;

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        // Disable default security.
        http.httpBasic().disable();
        http.formLogin().disable();
        http.csrf().disable();
        http.logout().disable();

        // Add custom security.
        http.authenticationManager(this.authenticationManager);
        http.securityContextRepository(this.securityContextRepository);

        // Disable authentication for `/auth/**` routes.
        http.authorizeExchange().pathMatchers("/auth/**").permitAll();
        http.authorizeExchange().anyExchange().authenticated();

        return http.build();
    }
}

我已禁用 httpBasic、formLogin、csrf 和注销，以便我可以进行自定义身份验证.

I've disabled httpBasic, formLogin, csrf and logout so I could make my custom authentication.

通过设置 AuthenticationManager 和 SecurityContextRepository，我覆盖了默认的 spring 安全配置，用于检查用户是否通过了请求的身份验证/授权.

By setting the AuthenticationManager and SecurityContextRepository I overridden the default spring security configuration for checking if a user is authenticated/authorized for a request.

身份验证管理器:

@Component
public class AuthenticationManager implements ReactiveAuthenticationManager {

    @Override
    public Mono<Authentication> authenticate(Authentication authentication) {
        // JwtAuthenticationToken is my custom token.
        if (authentication instanceof JwtAuthenticationToken) {
            authentication.setAuthenticated(true);
        }
        return Mono.just(authentication);
    }
}

我不完全确定身份验证管理器的用途，但我认为进行最终身份验证，因此在一切正常时设置 authentication.setAuthenticated(true);.

I am not fully sure where the authentication manager is for, but I think for doing the final authentication, so setting authentication.setAuthenticated(true); when everything is right.

SecurityContextRepository:

SecurityContextRepository:

@Component
public class SecurityContextRepository implements ServerSecurityContextRepository {

    @Override
    public Mono<Void> save(ServerWebExchange serverWebExchange, SecurityContext securityContext) {
        // Don't know yet where this is for.
        return null;
    }

    @Override
    public Mono<SecurityContext> load(ServerWebExchange serverWebExchange) {
        // JwtAuthenticationToken and GuestAuthenticationToken are custom Authentication tokens.
        Authentication authentication = (/* check if authenticated based on headers in serverWebExchange */) ? 
            new JwtAuthenticationToken(...) :
            new GuestAuthenticationToken();
        return new SecurityContextImpl(authentication);
    }
}

在加载中，我将根据 serverWebExchange 中的标头检查用户是否已通过身份验证.我使用 https://github.com/jwtk/jjwt.无论用户是否通过身份验证，我都会返回不同类型的身份验证令牌.

In the load I will check based on the headers in the serverWebExchange if the user is authenticated. I use https://github.com/jwtk/jjwt. I return a different kind of authentication token if the user is authenticated or not.

这篇关于用于 API 的 Spring webflux 自定义身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！