Reputation: 83
AuthenticationManger in Spring security webflux
I am trying to build a custom authentication manager for my spring-webflux app. However I find that my manager is never called. My code below:
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
return http
.authorizeExchange().pathMatchers("/**").authenticated().and().httpBasic().disable()
.securityContextRepository(webSessionServerSecurityContextRepository())
.addFilterAfter(new AuthenticationWebFilter(bearerTokenAuthenticationManager()),
SecurityWebFiltersOrder.REACTOR_CONTEXT)
.build();
}
What am I doing wrong?
Upvotes: 3
Views: 2442
Answers (1)
Reputation: 928
Assuming you put this bean in a class annotated with @Configuration and @EnableWebFluxSecurity your problem seems that you didn't disabled csrf that is configured by default by Spring Security.
You can do that with the following:
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) {
return http
.authorizeExchange().pathMatchers("/**").authenticated()
.and()
.httpBasic().disable()
.csrf().disable() // Disable csrf
.securityContextRepository(webSessionServerSecurityContextRepository())
.addFilterAfter(new AuthenticationWebFilter(bearerTokenAuthenticationManager()),
SecurityWebFiltersOrder.REACTOR_CONTEXT)
.build();
}
Furthermore, you have to configure correctly the AuthenticationWebFilter.
An AuthenticationWebFilter has the following dependencies:
...most of them are provided by default as HttpBasic deps (copy and pasted from Spring Security source code):
private final ReactiveAuthenticationManagerResolver<ServerWebExchange> authenticationManagerResolver;
private ServerAuthenticationSuccessHandler authenticationSuccessHandler = new WebFilterChainServerAuthenticationSuccessHandler();
private ServerAuthenticationConverter authenticationConverter = new ServerHttpBasicAuthenticationConverter();
private ServerAuthenticationFailureHandler authenticationFailureHandler = new ServerAuthenticationEntryPointFailureHandler(new HttpBasicServerAuthenticationEntryPoint());
private ServerSecurityContextRepository securityContextRepository = NoOpServerSecurityContextRepository.getInstance(); // Stateless session
private ServerWebExchangeMatcher requiresAuthenticationMatcher = ServerWebExchangeMatchers.anyExchange();
You could set whatever you want with the setters method of AuthenticationWebFilter. An AuthenticationWebFilter has the following logic:
So depending of the case you have to configure one dependency or another. You could see a complete example of how Authentication and Authorization works in my repo: https://github.com/soasada/kotlin-coroutines-webflux-security (is in kotlin but for the case is the same)
Upvotes: 6
Related Questions
- Spring Security WebFlux - body with Authentication
- Spring WebFlux, Security and request body
- AuthenticationManager in Spring Boot
- How to get the "Authentication" Object with Spring WebFlux?
- Spring WebFlux Security OAuth 2.0 User Service
- Spring Security WebFlux logout
- Spring webflux custom authentication for API
- How to implement multiple authentication methods in Spring WebFlux Security?
- Spring security authenticaton
- Spring security. Custom AuthenticationManager