下面列出了org.springframework.security.authentication.ReactiveAuthenticationManager#org.springframework.security.web.server.authentication.AuthenticationWebFilter 实例代码,或者点击链接到github查看源代码,也可以在右侧发表评论。
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
//认证处理器
ReactiveAuthenticationManager customAuthenticationManager = new CustomAuthenticationManager(tokenStore);
JsonAuthenticationEntryPoint entryPoint = new JsonAuthenticationEntryPoint();
//token转换器
ServerBearerTokenAuthenticationConverter tokenAuthenticationConverter = new ServerBearerTokenAuthenticationConverter();
tokenAuthenticationConverter.setAllowUriQueryParameter(true);
//oauth2认证过滤器
AuthenticationWebFilter oauth2Filter = new AuthenticationWebFilter(customAuthenticationManager);
oauth2Filter.setServerAuthenticationConverter(tokenAuthenticationConverter);
oauth2Filter.setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
oauth2Filter.setAuthenticationSuccessHandler(new Oauth2AuthSuccessHandler());
http.addFilterAt(oauth2Filter, SecurityWebFiltersOrder.AUTHENTICATION);
ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchange = http.authorizeExchange();
if (securityProperties.getAuth().getHttpUrls().length > 0) {
authorizeExchange.pathMatchers(securityProperties.getAuth().getHttpUrls()).authenticated();
}
if (securityProperties.getIgnore().getUrls().length > 0) {
authorizeExchange.pathMatchers(securityProperties.getIgnore().getUrls()).permitAll();
}
authorizeExchange
.pathMatchers(HttpMethod.OPTIONS).permitAll()
.anyExchange()
.access(permissionAuthManager)
.and()
.exceptionHandling()
.accessDeniedHandler(new JsonAccessDeniedHandler())
.authenticationEntryPoint(entryPoint)
.and()
.headers()
.frameOptions()
.disable()
.and()
.httpBasic().disable()
.csrf().disable();
return http.build();
}
public static void forLogin(
final ServerHttpSecurity http,
final AMType amType,
final ApplicationContext ctx) {
ReactiveClientRegistrationRepository clientRegistrationRepository =
ctx.getBean(ReactiveClientRegistrationRepository.class);
ReactiveOAuth2AuthorizedClientService authorizedClientService =
new InMemoryReactiveOAuth2AuthorizedClientService(clientRegistrationRepository);
ServerOAuth2AuthorizedClientRepository authorizedClientRepository =
new AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository(authorizedClientService);
OAuth2AuthorizationRequestRedirectWebFilter authRequestRedirectFilter =
new OAuth2AuthorizationRequestRedirectWebFilter(clientRegistrationRepository);
AuthenticationWebFilter authenticationFilter =
new OAuth2LoginAuthenticationWebFilter(authenticationManager(amType), authorizedClientRepository);
authenticationFilter.setRequiresAuthenticationMatcher(
new PathPatternParserServerWebExchangeMatcher("/login/oauth2/code/{registrationId}"));
authenticationFilter.setServerAuthenticationConverter(
new ServerOAuth2AuthorizationCodeAuthenticationTokenConverter(clientRegistrationRepository));
authenticationFilter.setAuthenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler());
authenticationFilter.setAuthenticationFailureHandler((exchange, ex) -> Mono.error(ex));
authenticationFilter.setSecurityContextRepository(new WebSessionServerSecurityContextRepository());
MediaTypeServerWebExchangeMatcher htmlMatcher = new MediaTypeServerWebExchangeMatcher(MediaType.TEXT_HTML);
htmlMatcher.setIgnoredMediaTypes(Collections.singleton(MediaType.ALL));
ServerAuthenticationEntryPoint entrypoint =
new RedirectServerAuthenticationEntryPoint("/oauth2/authorization/" + amType.name());
http.exceptionHandling().authenticationEntryPoint(new DelegateEntry(htmlMatcher, entrypoint).getEntryPoint());
http.addFilterAt(authRequestRedirectFilter, SecurityWebFiltersOrder.HTTP_BASIC);
http.addFilterAt(authenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION);
}
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
// 自定义oauth2 认证, 使用redis读取token,而非jwt方式
JsonAuthenticationEntryPoint entryPoint = new JsonAuthenticationEntryPoint(accessLogService);
JsonAccessDeniedHandler accessDeniedHandler = new JsonAccessDeniedHandler(accessLogService);
AccessManager accessManager = new AccessManager(apiresourceLocator, apiProperties);
AuthenticationWebFilter oauth2 = new AuthenticationWebFilter(new RedisAuthenticationManager(new RedisTokenStore(redisConnectionFactory)));
oauth2.setServerAuthenticationConverter(new ServerBearerTokenAuthenticationConverter());
oauth2.setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
oauth2.setAuthenticationSuccessHandler(new ServerAuthenticationSuccessHandler() {
@Override
public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
ServerWebExchange exchange = webFilterExchange.getExchange();
SecurityContextServerWebExchange securityContextServerWebExchange = new SecurityContextServerWebExchange(exchange, ReactiveSecurityContextHolder.getContext().subscriberContext(
ReactiveSecurityContextHolder.withAuthentication(authentication)
));
return webFilterExchange.getChain().filter(securityContextServerWebExchange);
}
});
http
.httpBasic().disable()
.csrf().disable()
.authorizeExchange()
.pathMatchers("/").permitAll()
// 动态权限验证
.anyExchange().access(accessManager)
.and().exceptionHandling()
.accessDeniedHandler(accessDeniedHandler)
.authenticationEntryPoint(entryPoint).and()
// 日志前置过滤器
.addFilterAt(new PreRequestFilter(), SecurityWebFiltersOrder.FIRST)
// 跨域过滤器
.addFilterAt(corsFilter(), SecurityWebFiltersOrder.CORS)
// 签名验证过滤器
.addFilterAt(new PreSignatureFilter(baseAppServiceClient,apiProperties, new JsonSignatureDeniedHandler(accessLogService)), SecurityWebFiltersOrder.CSRF)
// 访问验证前置过滤器
.addFilterAt(new PreCheckFilter(accessManager, accessDeniedHandler), SecurityWebFiltersOrder.CSRF)
// oauth2认证过滤器
.addFilterAt(oauth2, SecurityWebFiltersOrder.AUTHENTICATION)
// 日志过滤器
.addFilterAt(new AccessLogFilter(accessLogService), SecurityWebFiltersOrder.SECURITY_CONTEXT_SERVER_WEB_EXCHANGE);
return http.build();
}
public AuthenticationWebFilter authenticationWebFilter() {
return new AuthenticationWebFilter(resolver());
}