Spring 安全性 - 使用 RouterFunction 时主体始终为 null
Spring Security - Principal is always null using RouterFunction
我使用 Spring WebFlux 和 RouterFunction 来定义我的 API 端点。我 Spring 安全配置如下:
@Bean
fun security(httpSecurity: ServerHttpSecurity): SecurityWebFilterChain {
return httpSecurity
.authenticationManager(authenticationManager)
// disable default security
.httpBasic().disable()
.formLogin().disable()
.logout().disable()
.csrf().disable()
.addFilterAt(apiAuthenticationWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
.authorizeExchange()
.pathMatchers("/app/health").permitAll()
.pathMatchers("/app/info", "/app/loggers", "/app/metrics").hasAuthority(SecurityRole.SYSTEM)
.anyExchange()
.authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationFailureHandler)
.and()
.build()
}
@Bean
fun securityContextRepository(): NoOpServerSecurityContextRepository {
return NoOpServerSecurityContextRepository.getInstance()
}
private fun apiAuthenticationWebFilter(): AuthenticationWebFilter {
val apiAuthenticationWebFilter = AuthenticationWebFilter(authenticationManager)
apiAuthenticationWebFilter.setAuthenticationFailureHandler(ServerAuthenticationEntryPointFailureHandler(jwtAuthenticationFailureHandler))
apiAuthenticationWebFilter.setAuthenticationConverter(jwtAuthenticationConverter)
apiAuthenticationWebFilter.setRequiresAuthenticationMatcher(PathPatternParserServerWebExchangeMatcher("/**"))
apiAuthenticationWebFilter.setSecurityContextRepository(securityContextRepository())
return apiAuthenticationWebFilter
}
RouterFunction 声明如下:
@Bean
fun apiRouter(testHandler: TestHandler,
errorHandler: ErrorHandler): RouterFunction<*> = router {
(accept(MediaType.APPLICATION_JSON_UTF8).nest {
GET(TEST_PATH, testHandler::test )
})
}.andOther(route(RequestPredicates.all(), HandlerFunction { errorHandler.notFoundResponse() }))
以及处理程序本身:
@Component
class TestHandler(private val testService: TestService) {
fun test(request: ServerRequest): Mono<ServerResponse> {
return request.toMono()
.transform({ testResponse() })
}
问题是 request.principal() 始终为空,与 ReactiveSecurityContextHolder.getContext().block() 结果相同,但是身份验证配置可以正常工作并验证用户身份。有趣的一点是,使用带注释的控制器主体声明端点是 not null 并显示经过正确身份验证的用户。
@RestController
class TestController(private val testService: TestService) {
@GetMapping("/test")
fun test(principal: Principal): Mono<String> {
return testService.test().map { message -> message + " " + principal.name }
}
}
是配置错误还是错误?还有类似的问题问,可能是同一个问题?
样本:
回购 - https://github.com/yyunikov/spring-boot-2-kotlin-starter/
卷曲示例:
curl -H "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiJhNjQyMjk0NC01ZDFkLTQxODItOGE2ZS1mZGM0NjEwYzhlNTYiLCJzdWIiOiJ5dW5pa292IiwiaWF0IjoxNTIzNzQyNzcxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvIiwiZW1haWwiOiJ1c2VyQHl1bmlrb3YuY29tIiwicm9sZXMiOlsidXNlciJdfQ.RirM-t7GZnSDQIAn_J-thD1UAzdyxKmiR4ktA_BdlYZsFoYKzy5nj-1dBaG60o7M9FcfwFLAWEe4pc7DplDNjw" localhost:8080/test
内部实现是基于委托者的,所以returns如果还没有解决则为null(这种行为现在导致异常)
这是一个关于如何同时获得两者的示例。
fun secure(serverRequest: ServerRequest): Mono<ServerResponse> {
return Mono.zip(
serverRequest.principal(),
ReactiveSecurityContextHolder.getContext()
)
.flatMap {
val principal = it.t1 // Not null
Assert.notNull(principal)
val securityContext = it.t2 // Not null
Assert.notNull(securityContext)
ServerResponse.ok().body(fromObject("Hello $principal!"))
}
}
请注意,使用 block()/blockFirst()/blockLast() 将导致异常作为 IllegalStateException
我使用 Spring WebFlux 和 RouterFunction 来定义我的 API 端点。我 Spring 安全配置如下:
@Bean
fun security(httpSecurity: ServerHttpSecurity): SecurityWebFilterChain {
return httpSecurity
.authenticationManager(authenticationManager)
// disable default security
.httpBasic().disable()
.formLogin().disable()
.logout().disable()
.csrf().disable()
.addFilterAt(apiAuthenticationWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
.authorizeExchange()
.pathMatchers("/app/health").permitAll()
.pathMatchers("/app/info", "/app/loggers", "/app/metrics").hasAuthority(SecurityRole.SYSTEM)
.anyExchange()
.authenticated()
.and()
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationFailureHandler)
.and()
.build()
}
@Bean
fun securityContextRepository(): NoOpServerSecurityContextRepository {
return NoOpServerSecurityContextRepository.getInstance()
}
private fun apiAuthenticationWebFilter(): AuthenticationWebFilter {
val apiAuthenticationWebFilter = AuthenticationWebFilter(authenticationManager)
apiAuthenticationWebFilter.setAuthenticationFailureHandler(ServerAuthenticationEntryPointFailureHandler(jwtAuthenticationFailureHandler))
apiAuthenticationWebFilter.setAuthenticationConverter(jwtAuthenticationConverter)
apiAuthenticationWebFilter.setRequiresAuthenticationMatcher(PathPatternParserServerWebExchangeMatcher("/**"))
apiAuthenticationWebFilter.setSecurityContextRepository(securityContextRepository())
return apiAuthenticationWebFilter
}
RouterFunction 声明如下:
@Bean
fun apiRouter(testHandler: TestHandler,
errorHandler: ErrorHandler): RouterFunction<*> = router {
(accept(MediaType.APPLICATION_JSON_UTF8).nest {
GET(TEST_PATH, testHandler::test )
})
}.andOther(route(RequestPredicates.all(), HandlerFunction { errorHandler.notFoundResponse() }))
以及处理程序本身:
@Component
class TestHandler(private val testService: TestService) {
fun test(request: ServerRequest): Mono<ServerResponse> {
return request.toMono()
.transform({ testResponse() })
}
问题是 request.principal() 始终为空,与 ReactiveSecurityContextHolder.getContext().block() 结果相同,但是身份验证配置可以正常工作并验证用户身份。有趣的一点是,使用带注释的控制器主体声明端点是 not null 并显示经过正确身份验证的用户。
@RestController
class TestController(private val testService: TestService) {
@GetMapping("/test")
fun test(principal: Principal): Mono<String> {
return testService.test().map { message -> message + " " + principal.name }
}
}
是配置错误还是错误?还有类似的问题问,可能是同一个问题?
样本:
回购 - https://github.com/yyunikov/spring-boot-2-kotlin-starter/
卷曲示例:
curl -H "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJqdGkiOiJhNjQyMjk0NC01ZDFkLTQxODItOGE2ZS1mZGM0NjEwYzhlNTYiLCJzdWIiOiJ5dW5pa292IiwiaWF0IjoxNTIzNzQyNzcxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvIiwiZW1haWwiOiJ1c2VyQHl1bmlrb3YuY29tIiwicm9sZXMiOlsidXNlciJdfQ.RirM-t7GZnSDQIAn_J-thD1UAzdyxKmiR4ktA_BdlYZsFoYKzy5nj-1dBaG60o7M9FcfwFLAWEe4pc7DplDNjw" localhost:8080/test
内部实现是基于委托者的,所以returns如果还没有解决则为null(这种行为现在导致异常)
这是一个关于如何同时获得两者的示例。
fun secure(serverRequest: ServerRequest): Mono<ServerResponse> {
return Mono.zip(
serverRequest.principal(),
ReactiveSecurityContextHolder.getContext()
)
.flatMap {
val principal = it.t1 // Not null
Assert.notNull(principal)
val securityContext = it.t2 // Not null
Assert.notNull(securityContext)
ServerResponse.ok().body(fromObject("Hello $principal!"))
}
}
请注意,使用 block()/blockFirst()/blockLast() 将导致异常作为 IllegalStateException