[case11]spring security reactive獲取security context
序
本文主要研究下reactive模式下的spring security context的獲取。html
ReactiveSecurityContextHolder
springboot2支持了webflux的異步模式,那麼傳統的基於threadlocal的SecurityContextHolder就無論用了。spring security5.x也支持了reactive方式,這裏就須要使用reactive版本的SecurityContextHolder
spring-security-core-5.0.3.RELEASE-sources.jar!/org/springframework/security/core/context/ReactiveSecurityContextHolder.javajava
public class ReactiveSecurityContextHolder {
private static final Class<?> SECURITY_CONTEXT_KEY = SecurityContext.class;
/**
* Gets the {@code Mono<SecurityContext>} from Reactor {@link Context}
* @return the {@code Mono<SecurityContext>}
*/
public static Mono<SecurityContext> getContext() {
return Mono.subscriberContext()
.filter( c -> c.hasKey(SECURITY_CONTEXT_KEY))
.flatMap( c-> c.<Mono<SecurityContext>>get(SECURITY_CONTEXT_KEY));
}
/**
* Clears the {@code Mono<SecurityContext>} from Reactor {@link Context}
* @return Return a {@code Mono<Void>} which only replays complete and error signals
* from clearing the context.
*/
public static Function<Context, Context> clearContext() {
return context -> context.delete(SECURITY_CONTEXT_KEY);
}
/**
* Creates a Reactor {@link Context} that contains the {@code Mono<SecurityContext>}
* that can be merged into another {@link Context}
* @param securityContext the {@code Mono<SecurityContext>} to set in the returned
* Reactor {@link Context}
* @return a Reactor {@link Context} that contains the {@code Mono<SecurityContext>}
*/
public static Context withSecurityContext(Mono<? extends SecurityContext> securityContext) {
return Context.of(SECURITY_CONTEXT_KEY, securityContext);
}
/**
* A shortcut for {@link #withSecurityContext(Mono)}
* @param authentication the {@link Authentication} to be used
* @return a Reactor {@link Context} that contains the {@code Mono<SecurityContext>}
*/
public static Context withAuthentication(Authentication authentication) {
return withSecurityContext(Mono.just(new SecurityContextImpl(authentication)));
}
}
能夠看到,這裏利用了reactor提供的context機制來進行異步線程的變量傳遞。
實例
public Mono<User> getCurrentUser() {
return ReactiveSecurityContextHolder.getContext()
.switchIfEmpty(Mono.error(new IllegalStateException("ReactiveSecurityContext is empty")))
.map(SecurityContext::getAuthentication)
.map(Authentication::getPrincipal)
.cast(User.class);
}
源碼解析
ServerHttpSecurity
spring-security-config-5.0.3.RELEASE-sources.jar!/org/springframework/security/config/web/server/ServerHttpSecurity.javareact
public SecurityWebFilterChain build() {
if(this.built != null) {
throw new IllegalStateException("This has already been built with the following stacktrace. " + buildToString());
}
this.built = new RuntimeException("First Build Invocation").fillInStackTrace();
if(this.headers != null) {
this.headers.configure(this);
}
WebFilter securityContextRepositoryWebFilter = securityContextRepositoryWebFilter();
if(securityContextRepositoryWebFilter != null) {
this.webFilters.add(securityContextRepositoryWebFilter);
}
if(this.csrf != null) {
this.csrf.configure(this);
}
if(this.httpBasic != null) {
this.httpBasic.authenticationManager(this.authenticationManager);
this.httpBasic.configure(this);
}
if(this.formLogin != null) {
this.formLogin.authenticationManager(this.authenticationManager);
if(this.securityContextRepository != null) {
this.formLogin.securityContextRepository(this.securityContextRepository);
}
if(this.formLogin.authenticationEntryPoint == null) {
this.webFilters.add(new OrderedWebFilter(new LoginPageGeneratingWebFilter(), SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING.getOrder()));
this.webFilters.add(new OrderedWebFilter(new LogoutPageGeneratingWebFilter(), SecurityWebFiltersOrder.LOGOUT_PAGE_GENERATING.getOrder()));
}
this.formLogin.configure(this);
}
if(this.logout != null) {
this.logout.configure(this);
}
this.requestCache.configure(this);
this.addFilterAt(new SecurityContextServerWebExchangeWebFilter(), SecurityWebFiltersOrder.SECURITY_CONTEXT_SERVER_WEB_EXCHANGE);
if(this.authorizeExchange != null) {
ServerAuthenticationEntryPoint authenticationEntryPoint = getAuthenticationEntryPoint();
ExceptionTranslationWebFilter exceptionTranslationWebFilter = new ExceptionTranslationWebFilter();
if(authenticationEntryPoint != null) {
exceptionTranslationWebFilter.setAuthenticationEntryPoint(
authenticationEntryPoint);
}
this.addFilterAt(exceptionTranslationWebFilter, SecurityWebFiltersOrder.EXCEPTION_TRANSLATION);
this.authorizeExchange.configure(this);
}
AnnotationAwareOrderComparator.sort(this.webFilters);
List<WebFilter> sortedWebFilters = new ArrayList<>();
this.webFilters.forEach( f -> {
if(f instanceof OrderedWebFilter) {
f = ((OrderedWebFilter) f).webFilter;
}
sortedWebFilters.add(f);
});
return new MatcherSecurityWebFilterChain(getSecurityMatcher(), sortedWebFilters);
}
這裏的build方法建立了securityContextRepositoryWebFilter並添加到webFilters裏頭
securityContextRepositoryWebFilter
private WebFilter securityContextRepositoryWebFilter() {
ServerSecurityContextRepository repository = this.securityContextRepository;
if(repository == null) {
return null;
}
WebFilter result = new ReactorContextWebFilter(repository);
return new OrderedWebFilter(result, SecurityWebFiltersOrder.REACTOR_CONTEXT.getOrder());
}
這裏建立了ReactorContextWebFilter
ReactorContextWebFilter
spring-security-web-5.0.3.RELEASE-sources.jar!/org/springframework/security/web/server/context/ReactorContextWebFilter.javaweb
public class ReactorContextWebFilter implements WebFilter {
private final ServerSecurityContextRepository repository;
public ReactorContextWebFilter(ServerSecurityContextRepository repository) {
Assert.notNull(repository, "repository cannot be null");
this.repository = repository;
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
return chain.filter(exchange)
.subscriberContext(c -> c.hasKey(SecurityContext.class) ? c :
withSecurityContext(c, exchange)
);
}
private Context withSecurityContext(Context mainContext, ServerWebExchange exchange) {
return mainContext.putAll(this.repository.load(exchange)
.as(ReactiveSecurityContextHolder::withSecurityContext));
}
}
這裏使用reactor的subscriberContext將SecurityContext注入進去。
小結
基於reactor提供的context機制,spring security也相應提供了ReactiveSecurityContextHolder用來獲取當前用戶,很是便利。spring
doc
相關文章
- 1. spring security reactive獲取security context
- 2. Salesforce: Security Token 的獲取方法
- 3. spring security filter獲取請求的urlpattern
- 4. 獲取spring security用戶相關信息
- 5. Spring Security OAUTH2 獲取用戶信息
- 6. 頁面獲取Spring Security登陸用戶
- 7. spring security oauth2 獲取jwt的方式
- 8. spring security 獲取用戶信息
- 9. spring security method security
- 10. SPRING SECURITY JAVA配置:Web Security
- 更多相關文章...
- • PHP imageaffinematrixget - 獲取矩陣 - PHP參考手冊
- • XML DOM 獲取節點值 - XML DOM 教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • RxJava操作符(一)Creating Observables
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. spring security reactive獲取security context
- 2. Salesforce: Security Token 的獲取方法
- 3. spring security filter獲取請求的urlpattern
- 4. 獲取spring security用戶相關信息
- 5. Spring Security OAUTH2 獲取用戶信息
- 6. 頁面獲取Spring Security登陸用戶
- 7. spring security oauth2 獲取jwt的方式
- 8. spring security 獲取用戶信息
- 9. spring security method security
- 10. SPRING SECURITY JAVA配置:Web Security