mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-26 05:42:31 +00:00
Resource Server w/ SecurityReactorContextSubscriber
Fixes gh-7423
This commit is contained in:
Josh Cummings
parent
e6d40e8280
commit
33ba292fed
@ -15,20 +15,21 @@
|
||||
*/
|
||||
package org.springframework.security.config.annotation.web.configuration;
|
||||
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import org.springframework.context.annotation.ImportSelector;
|
||||
import org.springframework.core.type.AnnotationMetadata;
|
||||
import org.springframework.util.ClassUtils;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* Used by {@link EnableWebSecurity} to conditionally import:
|
||||
*
|
||||
* <ul>
|
||||
* <li>{@link OAuth2ClientConfiguration} when the {@code spring-security-oauth2-client} module is present on the classpath</li>
|
||||
* <li>{@link SecurityReactorContextConfiguration} when the {@code spring-webflux} and {@code spring-security-oauth2-client} module is present on the classpath</li>
|
||||
* <li>{@link OAuth2ResourceServerConfiguration} when the {@code spring-security-oauth2-resource-server} module is present on the classpath</li>
|
||||
* <li>{@link SecurityReactorContextConfiguration} when either the {@code spring-security-oauth2-client} or
|
||||
* {@code spring-security-oauth2-resource-server} module as well as the {@code spring-webflux} module
|
||||
* are present on the classpath</li>
|
||||
* </ul>
|
||||
*
|
||||
* @author Joe Grandja
|
||||
@ -36,13 +37,12 @@ import java.util.List;
|
||||
* @since 5.1
|
||||
* @see OAuth2ClientConfiguration
|
||||
* @see SecurityReactorContextConfiguration
|
||||
* @see OAuth2ResourceServerConfiguration
|
||||
*/
|
||||
final class OAuth2ImportSelector implements ImportSelector {
|
||||
|
||||
@Override
|
||||
public String[] selectImports(AnnotationMetadata importingClassMetadata) {
|
||||
List<String> imports = new ArrayList<>();
|
||||
Set<String> imports = new LinkedHashSet<>();
|
||||
|
||||
boolean oauth2ClientPresent = ClassUtils.isPresent(
|
||||
"org.springframework.security.oauth2.client.registration.ClientRegistration", getClass().getClassLoader());
|
||||
@ -56,9 +56,10 @@ final class OAuth2ImportSelector implements ImportSelector {
|
||||
imports.add("org.springframework.security.config.annotation.web.configuration.SecurityReactorContextConfiguration");
|
||||
}
|
||||
|
||||
if (ClassUtils.isPresent(
|
||||
"org.springframework.security.oauth2.server.resource.BearerTokenError", getClass().getClassLoader())) {
|
||||
imports.add("org.springframework.security.config.annotation.web.configuration.OAuth2ResourceServerConfiguration");
|
||||
boolean oauth2ResourceServerPresent = ClassUtils.isPresent(
|
||||
"org.springframework.security.oauth2.server.resource.BearerTokenError", getClass().getClassLoader());
|
||||
if (webfluxPresent && oauth2ResourceServerPresent) {
|
||||
imports.add("org.springframework.security.config.annotation.web.configuration.SecurityReactorContextConfiguration");
|
||||
}
|
||||
|
||||
return imports.toArray(new String[0]);
|
||||
|
||||
@ -1,144 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.config.annotation.web.configuration;
|
||||
|
||||
import org.reactivestreams.Subscription;
|
||||
import reactor.core.CoreSubscriber;
|
||||
import reactor.core.publisher.Hooks;
|
||||
import reactor.core.publisher.Operators;
|
||||
import reactor.util.context.Context;
|
||||
|
||||
import org.springframework.beans.factory.DisposableBean;
|
||||
import org.springframework.beans.factory.InitializingBean;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
import org.springframework.context.annotation.ImportSelector;
|
||||
import org.springframework.core.type.AnnotationMetadata;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.util.ClassUtils;
|
||||
|
||||
/**
|
||||
* {@link Configuration} for OAuth 2.0 Resource Server support.
|
||||
*
|
||||
* <p>
|
||||
* This {@code Configuration} is conditionally imported by {@link OAuth2ImportSelector}
|
||||
* when the {@code spring-security-oauth2-resource-server} module is present on the classpath.
|
||||
*
|
||||
* @author Josh Cummings
|
||||
* @since 5.2
|
||||
* @see OAuth2ImportSelector
|
||||
*/
|
||||
@Import(OAuth2ResourceServerConfiguration.OAuth2ClientWebFluxImportSelector.class)
|
||||
final class OAuth2ResourceServerConfiguration {
|
||||
|
||||
static class OAuth2ClientWebFluxImportSelector implements ImportSelector {
|
||||
|
||||
@Override
|
||||
public String[] selectImports(AnnotationMetadata importingClassMetadata) {
|
||||
boolean webfluxPresent = ClassUtils.isPresent(
|
||||
"org.springframework.web.reactive.function.client.WebClient", getClass().getClassLoader());
|
||||
|
||||
return webfluxPresent ?
|
||||
new String[] { "org.springframework.security.config.annotation.web.configuration.OAuth2ResourceServerConfiguration.OAuth2ResourceServerWebFluxSecurityConfiguration" } :
|
||||
new String[] {};
|
||||
}
|
||||
}
|
||||
|
||||
@Configuration(proxyBeanMethods = false)
|
||||
static class OAuth2ResourceServerWebFluxSecurityConfiguration {
|
||||
@Bean
|
||||
BearerRequestContextSubscriberRegistrar bearerRequestContextSubscriberRegistrar() {
|
||||
return new BearerRequestContextSubscriberRegistrar();
|
||||
}
|
||||
|
||||
/**
|
||||
* Registers a {@link CoreSubscriber} that provides the current {@link Authentication}
|
||||
* to the correct {@link Context}.
|
||||
*
|
||||
* This is published as a {@code @Bean} automatically, so long as `spring-security-oauth2-resource-server`
|
||||
* and `spring-webflux` are on the classpath.
|
||||
*/
|
||||
static class BearerRequestContextSubscriberRegistrar
|
||||
implements InitializingBean, DisposableBean {
|
||||
|
||||
private static final String REQUEST_CONTEXT_OPERATOR_KEY = BearerRequestContextSubscriber.class.getName();
|
||||
|
||||
@Override
|
||||
public void afterPropertiesSet() throws Exception {
|
||||
Hooks.onLastOperator(REQUEST_CONTEXT_OPERATOR_KEY,
|
||||
Operators.liftPublisher((s, sub) -> createRequestContextSubscriber(sub)));
|
||||
}
|
||||
|
||||
@Override
|
||||
public void destroy() throws Exception {
|
||||
Hooks.resetOnLastOperator(REQUEST_CONTEXT_OPERATOR_KEY);
|
||||
}
|
||||
|
||||
private <T> CoreSubscriber<T> createRequestContextSubscriber(CoreSubscriber<T> delegate) {
|
||||
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
||||
return new BearerRequestContextSubscriber<>(delegate, authentication);
|
||||
}
|
||||
|
||||
static class BearerRequestContextSubscriber<T> implements CoreSubscriber<T> {
|
||||
private CoreSubscriber<T> delegate;
|
||||
private final Context context;
|
||||
|
||||
private BearerRequestContextSubscriber(CoreSubscriber<T> delegate,
|
||||
Authentication authentication) {
|
||||
|
||||
this.delegate = delegate;
|
||||
Context parentContext = this.delegate.currentContext();
|
||||
Context context;
|
||||
if (authentication == null || parentContext.hasKey(Authentication.class)) {
|
||||
context = parentContext;
|
||||
} else {
|
||||
context = parentContext.put(Authentication.class, authentication);
|
||||
}
|
||||
|
||||
this.context = context;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Context currentContext() {
|
||||
return this.context;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void onSubscribe(Subscription s) {
|
||||
this.delegate.onSubscribe(s);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void onNext(T t) {
|
||||
this.delegate.onNext(t);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void onError(Throwable t) {
|
||||
this.delegate.onError(t);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void onComplete() {
|
||||
this.delegate.onComplete();
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -44,11 +44,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
/**
|
||||
* Tests for {@link OAuth2ResourceServerConfiguration}.
|
||||
* Tests for applications of {@link SecurityReactorContextConfiguration} in resource servers.
|
||||
*
|
||||
* @author Josh Cummings
|
||||
*/
|
||||
public class OAuth2ResourceServerConfigurationTests {
|
||||
public class SecurityReactorContextConfigurationResourceServerTests {
|
||||
@Rule
|
||||
public final SpringTestRule spring = new SpringTestRule();
|
||||
|
||||
@ -16,6 +16,8 @@
|
||||
|
||||
package org.springframework.security.oauth2.server.resource.web.reactive.function.client;
|
||||
|
||||
import java.util.Map;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
import reactor.util.context.Context;
|
||||
|
||||
@ -56,6 +58,9 @@ import org.springframework.web.reactive.function.client.ExchangeFunction;
|
||||
public final class ServletBearerExchangeFilterFunction
|
||||
implements ExchangeFilterFunction {
|
||||
|
||||
static final String SECURITY_REACTOR_CONTEXT_ATTRIBUTES_KEY =
|
||||
"org.springframework.security.SECURITY_CONTEXT_ATTRIBUTES";
|
||||
|
||||
/**
|
||||
* {@inheritDoc}
|
||||
*/
|
||||
@ -76,8 +81,16 @@ public final class ServletBearerExchangeFilterFunction
|
||||
}
|
||||
|
||||
private Mono<Authentication> currentAuthentication(Context ctx) {
|
||||
Authentication authentication = ctx.getOrDefault(Authentication.class, null);
|
||||
return Mono.justOrEmpty(authentication);
|
||||
return Mono.justOrEmpty(getAttribute(ctx, Authentication.class));
|
||||
}
|
||||
|
||||
private <T> T getAttribute(Context ctx, Class<T> clazz) {
|
||||
// NOTE: SecurityReactorContextConfiguration.SecurityReactorContextSubscriber adds this key
|
||||
if (!ctx.hasKey(SECURITY_REACTOR_CONTEXT_ATTRIBUTES_KEY)) {
|
||||
return null;
|
||||
}
|
||||
Map<Class<T>, T> attributes = ctx.get(SECURITY_REACTOR_CONTEXT_ATTRIBUTES_KEY);
|
||||
return attributes.get(clazz);
|
||||
}
|
||||
|
||||
private ClientRequest bearer(ClientRequest request, AbstractOAuth2Token token) {
|
||||
|
||||
@ -20,6 +20,7 @@ import java.net.URI;
|
||||
import java.time.Duration;
|
||||
import java.time.Instant;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.junit.Test;
|
||||
@ -37,6 +38,7 @@ import org.springframework.web.reactive.function.client.ClientRequest;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.http.HttpMethod.GET;
|
||||
import static org.springframework.security.oauth2.server.resource.web.reactive.function.client.ServletBearerExchangeFilterFunction.SECURITY_REACTOR_CONTEXT_ATTRIBUTES_KEY;
|
||||
|
||||
/**
|
||||
* Tests for {@link ServletBearerExchangeFilterFunction}
|
||||
@ -80,7 +82,7 @@ public class ServletBearerExchangeFilterFunctionTests {
|
||||
.build();
|
||||
|
||||
this.function.filter(request, this.exchange)
|
||||
.subscriberContext(Context.of(Authentication.class, token))
|
||||
.subscriberContext(context(token))
|
||||
.block();
|
||||
|
||||
assertThat(this.exchange.getRequest().headers().getFirst(HttpHeaders.AUTHORIZATION))
|
||||
@ -93,7 +95,7 @@ public class ServletBearerExchangeFilterFunctionTests {
|
||||
.build();
|
||||
|
||||
this.function.filter(request, this.exchange)
|
||||
.subscriberContext(Context.of(Authentication.class, this.authentication))
|
||||
.subscriberContext(context(this.authentication))
|
||||
.block();
|
||||
|
||||
assertThat(this.exchange.getRequest().headers().getFirst(HttpHeaders.AUTHORIZATION))
|
||||
@ -107,10 +109,16 @@ public class ServletBearerExchangeFilterFunctionTests {
|
||||
.build();
|
||||
|
||||
this.function.filter(request, this.exchange)
|
||||
.subscriberContext(Context.of(Authentication.class, this.authentication))
|
||||
.subscriberContext(context(this.authentication))
|
||||
.block();
|
||||
|
||||
HttpHeaders headers = this.exchange.getRequest().headers();
|
||||
assertThat(headers.get(HttpHeaders.AUTHORIZATION)).containsOnly("Bearer " + this.accessToken.getTokenValue());
|
||||
}
|
||||
|
||||
private Context context(Authentication authentication) {
|
||||
Map<Class<?>, Object> contextAttributes = new HashMap<>();
|
||||
contextAttributes.put(Authentication.class, authentication);
|
||||
return Context.of(SECURITY_REACTOR_CONTEXT_ATTRIBUTES_KEY, contextAttributes);
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user