Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Separate Servlet and WebFlux 

Fixes: gh-5836
This commit is contained in:
Rob Winch 2018-09-11 21:01:07 -05:00
parent ed9cd478ba
commit 57359058dd
59 changed files with 204 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/manual/src/docs/asciidoc/_includes/reactive/index.adoc Normal file
View File

@ -0,0 +1,7 @@
= Reactive Applications
include::webflux.adoc[leveloffset=+1]
include::method.adoc[leveloffset=+1]
include::webtestclient.adoc[leveloffset=+1]

103
docs/manual/src/docs/asciidoc/_includes/reactive/method.adoc Normal file
View File

@ -0,0 +1,103 @@
[[jc-erms]]
= EnableReactiveMethodSecurity
Spring Security supports method security using https://projectreactor.io/docs/core/release/reference/#context[Reactor's Context] which is setup using `ReactiveSecurityContextHolder`.
For example, this demonstrates how to retrieve the currently logged in user's message.
[NOTE]
====
For this to work the return type of the method must be a `org.reactivestreams.Publisher` (i.e. `Mono`/`Flux`).
This is necessary to integrate with Reactor's `Context`.
====
[source,java]
----
Authentication authentication = new TestingAuthenticationToken("user", "password", "ROLE_USER");
Mono<String> messageByUsername = ReactiveSecurityContextHolder.getContext()
.map(SecurityContext::getAuthentication)
.map(Authentication::getName)
.flatMap(this::findMessageByUsername)
// In a WebFlux application the `subscriberContext` is automatically setup using `ReactorContextWebFilter`
.subscriberContext(ReactiveSecurityContextHolder.withAuthentication(authentication));
StepVerifier.create(messageByUsername)
.expectNext("Hi user")
.verifyComplete();
----
with `this::findMessageByUsername` defined as:
[source,java]
----
Mono<String> findMessageByUsername(String username) {
return Mono.just("Hi " + username);
}
----
Below is a minimal method security configuration when using method security in reactive applications.
[source,java]
----
@EnableReactiveMethodSecurity
public class SecurityConfig {
@Bean
public MapReactiveUserDetailsService userDetailsService() {
User.UserBuilder userBuilder = User.withDefaultPasswordEncoder();
UserDetails rob = userBuilder.username("rob").password("rob").roles("USER").build();
UserDetails admin = userBuilder.username("admin").password("admin").roles("USER","ADMIN").build();
return new MapReactiveUserDetailsService(rob, admin);
}
}
----
Consider the following class:
[source,java]
----
@Component
public class HelloWorldMessageService {
@PreAuthorize("hasRole('ADMIN')")
public Mono<String> findMessage() {
return Mono.just("Hello World!");
}
}
----
Combined with our configuration above, `@PreAuthorize("hasRole('ADMIN')")` will ensure that `findByMessage` is only invoked by a user with the role `ADMIN`.
It is important to note that any of the expressions in standard method security work for `@EnableReactiveMethodSecurity`.
However, at this time we only support return type of `Boolean` or `boolean` of the expression.
This means that the expression must not block.
When integrating with <<jc-webflux>>, the Reactor Context is automatically established by Spring Security according to the authenticated user.
[source,java]
----
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfig {
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
return http
// Demonstrate that method security works
// Best practice to use both for defense in depth
.authorizeExchange()
.anyExchange().permitAll()
.and()
.httpBasic().and()
.build();
}
@Bean
MapReactiveUserDetailsService userDetailsService() {
User.UserBuilder userBuilder = User.withDefaultPasswordEncoder();
UserDetails rob = userBuilder.username("rob").password("rob").roles("USER").build();
UserDetails admin = userBuilder.username("admin").password("admin").roles("USER","ADMIN").build();
return new MapReactiveUserDetailsService(rob, admin);
}
}
----
You can find a complete sample in {gh-samples-url}/javaconfig/hellowebflux-method[hellowebflux-method]

68
docs/manual/src/docs/asciidoc/_includes/reactive/webflux.adoc Normal file
View File

@ -0,0 +1,68 @@
[[jc-webflux]]
= WebFlux Security
Spring Security's WebFlux support relies on a `WebFilter` and works the same for Spring WebFlux and Spring WebFlux.Fn.
You can find a few sample applications that demonstrate the code below:
* Hello WebFlux {gh-samples-url}/javaconfig/hellowebflux[hellowebflux]
* Hello WebFlux.Fn {gh-samples-url}/javaconfig/hellowebfluxfn[hellowebfluxfn]
* Hello WebFlux Method {gh-samples-url}/javaconfig/hellowebflux-method[hellowebflux-method]
== Minimal WebFlux Security Configuration
You can find a minimal WebFlux Security configuration below:
[source,java]
-----
@EnableWebFluxSecurity
public class HelloWebfluxSecurityConfig {
@Bean
public MapReactiveUserDetailsService userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("user")
.roles("USER")
.build();
return new MapReactiveUserDetailsService(user);
}
}
-----
This configuration provides form and http basic authentication, sets up authorization to require an authenticated user for accessing any page, sets up a default log in page and a default log out page, sets up security related HTTP headers, CSRF protection, and more.
== Explicit WebFlux Security Configuration
You can find an explicit version of the minimal WebFlux Security configuration below:
[source,java]
-----
@EnableWebFluxSecurity
public class HelloWebfluxSecurityConfig {
@Bean
public MapReactiveUserDetailsService userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("user")
.roles("USER")
.build();
return new MapReactiveUserDetailsService(user);
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.anyExchange().authenticated()
.and()
.httpBasic().and()
.formLogin();
return http.build();
}
}
-----
This configuration explicitly sets up all the same things as our minimal configuration.
From here you can easily make the changes to the defaults.

10
docs/manual/src/docs/asciidoc/_includes/test/webtestclient.adoc → docs/manual/src/docs/asciidoc/_includes/reactive/webtestclient.adoc
View File

@ -1,8 +1,8 @@
[[test-webflux]]
== WebFlux Support
= WebFlux Support
[[test-erms]]
=== Reactive Method Security
== Reactive Method Security
For example, we can test our example from <<jc-erms>> using the same setup and annotations we did in <<test-method>>.
Here is a minimal sample of what we can do:
@ -41,7 +41,7 @@ public class HelloWorldMessageServiceTests {
----
[[test-webtestclient]]
=== WebTestClientSupport
== WebTestClientSupport
Spring Security provides integration with `WebTestClient`.
The basic setup looks like this:
@ -70,7 +70,7 @@ public class HelloWebfluxMethodApplicationTests {
}
----
==== Authentication
=== Authentication
After applying the Spring Security support to `WebTestClient` we can use either annotations or `mutateWith` support.
For example:
@ -134,7 +134,7 @@ public void messageWhenMutateWithMockAdminThenOk() throws Exception {
----
==== CSRF Support
=== CSRF Support
Spring Security also provides support for CSRF testing with `WebTestClient`.
For example:

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/acls.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/acls.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/cas.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/cas.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/concurrency.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/concurrency.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/crypto.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/crypto.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/index.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/index.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/jaas.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/jaas.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/jsp-taglibs.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/jsp-taglibs.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/ldap.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/ldap.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/mvc.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/mvc.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/oauth2.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/preauth.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/preauth.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/runas.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/runas.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/additional-topics/x509.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/x509.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/appendix/database-schema.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/appendix/database-schema.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/appendix/dependencies.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/appendix/dependencies.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/appendix/faq.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/appendix/faq.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/appendix/index.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/appendix/index.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/appendix/namespace.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/appendix/proxy-server.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/appendix/proxy-server.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/architecture/core-services.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/architecture/core-services.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/architecture/index.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/architecture/index.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/architecture/jackson.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/architecture/jackson.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/architecture/password-encoder.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/architecture/password-encoder.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/architecture/technical-overview.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/architecture/technical-overview.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/authorization/architecture.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/authorization/architecture.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/authorization/expression-based.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/authorization/expression-based.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/authorization/index.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/authorization/index.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/authorization/secure-objects.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/authorization/secure-objects.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/data/index.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/data/index.adoc
View File

17
docs/manual/src/docs/asciidoc/_includes/servlet/index.adoc Normal file
View File

@ -0,0 +1,17 @@
= Servlet Applications
include::preface/index.adoc[leveloffset=+1]
include::architecture/index.adoc[leveloffset=+1]
include::test/index.adoc[leveloffset=+1]
include::web/index.adoc[leveloffset=+1]
include::authorization/index.adoc[leveloffset=+1]
include::additional-topics/index.adoc[leveloffset=+1]
include::data/index.adoc[leveloffset=+1]
include::appendix/index.adoc[leveloffset=+1]

0
docs/manual/src/docs/asciidoc/_includes/preface/community.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/preface/community.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/preface/getting-started.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/preface/getting-started.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/preface/guides.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/preface/guides.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/preface/index.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/preface/index.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/preface/introduction.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/preface/introduction.adoc
View File

172
docs/manual/src/docs/asciidoc/_includes/preface/java-configuration.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/preface/java-configuration.adoc
View File

@ -383,74 +383,6 @@ If not configured a status code 200 will be returned by default.
- Section <<cas-singlelogout, Single Logout>> (CAS protocol)
- Documentation for the <<nsa-logout, logout element>> in the Spring Security XML Namespace section
[[jc-webflux]]
=== WebFlux Security
Spring Security's WebFlux support relies on a `WebFilter` and works the same for Spring WebFlux and Spring WebFlux.Fn.
You can find a few sample applications that demonstrate the code below:
* Hello WebFlux {gh-samples-url}/javaconfig/hellowebflux[hellowebflux]
* Hello WebFlux.Fn {gh-samples-url}/javaconfig/hellowebfluxfn[hellowebfluxfn]
* Hello WebFlux Method {gh-samples-url}/javaconfig/hellowebflux-method[hellowebflux-method]
==== Minimal WebFlux Security Configuration
You can find a minimal WebFlux Security configuration below:
[source,java]
-----
@EnableWebFluxSecurity
public class HelloWebfluxSecurityConfig {
@Bean
public MapReactiveUserDetailsService userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("user")
.roles("USER")
.build();
return new MapReactiveUserDetailsService(user);
}
}
-----
This configuration provides form and http basic authentication, sets up authorization to require an authenticated user for accessing any page, sets up a default log in page and a default log out page, sets up security related HTTP headers, CSRF protection, and more.
==== Explicit WebFlux Security Configuration
You can find an explicit version of the minimal WebFlux Security configuration below:
[source,java]
-----
@EnableWebFluxSecurity
public class HelloWebfluxSecurityConfig {
@Bean
public MapReactiveUserDetailsService userDetailsService() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("user")
.roles("USER")
.build();
return new MapReactiveUserDetailsService(user);
}
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http
.authorizeExchange()
.anyExchange().authenticated()
.and()
.httpBasic().and()
.formLogin();
return http.build();
}
}
-----
This configuration explicitly sets up all the same things as our minimal configuration.
From here you can easily make the changes to the defaults.
[[jc-oauth2login]]
=== OAuth 2.0 Login
@ -1302,110 +1234,6 @@ public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
For additional information about methods that can be overridden, refer to the `GlobalMethodSecurityConfiguration` Javadoc.
[[jc-erms]]
==== EnableReactiveMethodSecurity
Spring Security supports method security using https://projectreactor.io/docs/core/release/reference/#context[Reactor's Context] which is setup using `ReactiveSecurityContextHolder`.
For example, this demonstrates how to retrieve the currently logged in user's message.
[NOTE]
====
For this to work the return type of the method must be a `org.reactivestreams.Publisher` (i.e. `Mono`/`Flux`).
This is necessary to integrate with Reactor's `Context`.
====
[source,java]
----
Authentication authentication = new TestingAuthenticationToken("user", "password", "ROLE_USER");
Mono<String> messageByUsername = ReactiveSecurityContextHolder.getContext()
.map(SecurityContext::getAuthentication)
.map(Authentication::getName)
.flatMap(this::findMessageByUsername)
// In a WebFlux application the `subscriberContext` is automatically setup using `ReactorContextWebFilter`
.subscriberContext(ReactiveSecurityContextHolder.withAuthentication(authentication));
StepVerifier.create(messageByUsername)
.expectNext("Hi user")
.verifyComplete();
----
with `this::findMessageByUsername` defined as:
[source,java]
----
Mono<String> findMessageByUsername(String username) {
return Mono.just("Hi " + username);
}
----
Below is a minimal method security configuration when using method security in reactive applications.
[source,java]
----
@EnableReactiveMethodSecurity
public class SecurityConfig {
@Bean
public MapReactiveUserDetailsService userDetailsService() {
User.UserBuilder userBuilder = User.withDefaultPasswordEncoder();
UserDetails rob = userBuilder.username("rob").password("rob").roles("USER").build();
UserDetails admin = userBuilder.username("admin").password("admin").roles("USER","ADMIN").build();
return new MapReactiveUserDetailsService(rob, admin);
}
}
----
Consider the following class:
[source,java]
----
@Component
public class HelloWorldMessageService {
@PreAuthorize("hasRole('ADMIN')")
public Mono<String> findMessage() {
return Mono.just("Hello World!");
}
}
----
Combined with our configuration above, `@PreAuthorize("hasRole('ADMIN')")` will ensure that `findByMessage` is only invoked by a user with the role `ADMIN`.
It is important to note that any of the expressions in standard method security work for `@EnableReactiveMethodSecurity`.
However, at this time we only support return type of `Boolean` or `boolean` of the expression.
This means that the expression must not block.
When integrating with <<jc-webflux>>, the Reactor Context is automatically established by Spring Security according to the authenticated user.
[source,java]
----
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class SecurityConfig {
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
return http
// Demonstrate that method security works
// Best practice to use both for defense in depth
.authorizeExchange()
.anyExchange().permitAll()
.and()
.httpBasic().and()
.build();
}
@Bean
MapReactiveUserDetailsService userDetailsService() {
User.UserBuilder userBuilder = User.withDefaultPasswordEncoder();
UserDetails rob = userBuilder.username("rob").password("rob").roles("USER").build();
UserDetails admin = userBuilder.username("admin").password("admin").roles("USER","ADMIN").build();
return new MapReactiveUserDetailsService(rob, admin);
}
}
----
You can find a complete sample in {gh-samples-url}/javaconfig/hellowebflux-method[hellowebflux-method]
=== Post Processing Configured Objects
Spring Security's Java Configuration does not expose every property of every object that it configures.

0
docs/manual/src/docs/asciidoc/_includes/preface/namespace.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/preface/namespace.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/preface/samples.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/preface/samples.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/preface/whats-new.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/test/index.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/test/index.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/test/method.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/test/method.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/test/mockmvc.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/test/mockmvc.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/anonymous.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/anonymous.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/basic.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/basic.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/core-filters.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/core-filters.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/cors.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/cors.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/csrf.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/csrf.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/headers.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/headers.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/index.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/index.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/rememberme.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/rememberme.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/security-filter-chain.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/security-filter-chain.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/servlet-api.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/servlet-api.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/session-management.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/session-management.adoc
View File

0
docs/manual/src/docs/asciidoc/_includes/web/websocket.adoc → docs/manual/src/docs/asciidoc/_includes/servlet/web/websocket.adoc
View File

17
docs/manual/src/docs/asciidoc/index.adoc
View File

@ -2,24 +2,15 @@
Ben Alex; Luke Taylor; Rob Winch; Gunnar Hillert; Joe Grandja; Jay Bryant
:include-dir: _includes
:security-api-url: http://docs.spring.io/spring-security/site/docs/current/apidocs/
:source-indent: 0
:tabsize: 2
Spring Security is a powerful and highly customizable authentication and access-control framework.
It is the de-facto standard for securing Spring-based applications.
include::{include-dir}/preface/index.adoc[]
include::{include-dir}/architecture/index.adoc[]
include::{include-dir}/servlet/index.adoc[]
include::{include-dir}/test/index.adoc[]
include::{include-dir}/web/index.adoc[]
include::{include-dir}/authorization/index.adoc[]
include::{include-dir}/additional-topics/index.adoc[]
include::{include-dir}/data/index.adoc[]
include::{include-dir}/appendix/index.adoc[]
include::{include-dir}/reactive/index.adoc[]