CODEWITHSUNDEEP
javaspringspring-bootspring-webflux
Stmated
Stmated

Reputation: 495

Authentication by certificate for WebFlux?

In the regular Servlet API for Spring Boot Web, there is the .x509() of the HttpSecurity configuration. But in WebFlux's ServerHttpSecurity I can't find anything similar to it.

What is the equivalent of.x509().subjectPrincipalRegex(...) in WebFlux

End goal is to get the certificate subject as the username sent to ReactiveUserDetailsService.

Upvotes: 2

Views: 4078

Answers (2)

user2846382
user2846382

Reputation: 385

I would recommend you to upgrade your spring security version to 5.2.0 onwards. There is similar x509 authentication support available. Look at the below link. https://docs.spring.io/spring-security/site/docs/5.2.x/reference/html/reactive-x509.html

Upvotes: 0

bsamartins
bsamartins

Reputation: 141

I don't think there is a X509 filter as there was in the previous versions of spring, so you'll have to implement your own version of it. Fortunately the handy org.springframework.security.web.server.authentication.AuthenticationWebFilter provides the pattern for the authentication flow but you'll have to extract the subject from the cert/request yourself.

The first thing you'll have to do is setup an the authentication converter to extract the subject from the cert.

public class X509AuthenticationConverter implements Function<ServerWebExchange, Mono<Authentication>> {

    @Override
    public Mono<Authentication> apply(ServerWebExchange exchange) {
        ServerHttpRequest request = exchange.getRequest();
        try {
           // extract credentials here
           Authentication authentication = ...
           return Mono.just(authentication);
        } catch (Exception e) {
           // log error here
           return Mono.empty();
        }
    }
}

Now on our config we create the filter and converter beans and set the converter into the filter.

@Bean
public X509AuthenticationConverter x509AuthenticationConverter() {
    return new X509AuthenticationConverter();
}

@Bean
public AuthenticationWebFilter x509AuthenticationWebFilter(ReactiveAuthenticationManager reactiveAuthenticationManager,
                                                          X509AuthenticationConverter x509AuthenticationConverter) {
    AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(reactiveAuthenticationManager);
    authenticationWebFilter.setAuthenticationConverter(x509AuthenticationConverter);
    return authenticationWebFilter;
}

And finally configure security

@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http, AuthenticationWebFilter x509AuthenticationWebFilter) {
    return http
            .addFilterAt(x509AuthenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION)
            //...
            .build();
}

This will work just as well with other authentication mechanisms.

Upvotes: 4

Related Questions