分享程序员开发的那些事...
更新时间:2022-01-25 08:40:40
我不认为在Spring的早期版本中有X509过滤器,因此您必须实现自己的版本.幸运的是,方便的org.springframework.security.web.server.authentication.AuthenticationWebFilter提供了身份验证流程的模式,但是您必须自己从证书/请求中提取主题.
I don't think there is a X509 filter as there was in the previous versions of spring, so you'll have to implement your own version of it. Fortunately the handy org.springframework.security.web.server.authentication.AuthenticationWebFilter provides the pattern for the authentication flow but you'll have to extract the subject from the cert/request yourself.
您要做的第一件事是设置身份验证转换器,以从证书中提取主题.
The first thing you'll have to do is setup an the authentication converter to extract the subject from the cert.
public class X509AuthenticationConverter implements Function<ServerWebExchange, Mono<Authentication>> {
@Override
public Mono<Authentication> apply(ServerWebExchange exchange) {
ServerHttpRequest request = exchange.getRequest();
try {
// extract credentials here
Authentication authentication = ...
return Mono.just(authentication);
} catch (Exception e) {
// log error here
return Mono.empty();
}
}
}
现在,在我们的配置中,我们创建过滤器和转换器bean,并将转换器设置为过滤器.
Now on our config we create the filter and converter beans and set the converter into the filter.
@Bean
public X509AuthenticationConverter x509AuthenticationConverter() {
return new X509AuthenticationConverter();
}
@Bean
public AuthenticationWebFilter x509AuthenticationWebFilter(ReactiveAuthenticationManager reactiveAuthenticationManager,
X509AuthenticationConverter x509AuthenticationConverter) {
AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(reactiveAuthenticationManager);
authenticationWebFilter.setAuthenticationConverter(x509AuthenticationConverter);
return authenticationWebFilter;
}
最后配置安全性
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http, AuthenticationWebFilter x509AuthenticationWebFilter) {
return http
.addFilterAt(x509AuthenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION)
//...
.build();
}
这与其他身份验证机制同样有效.
This will work just as well with other authentication mechanisms.