raphaeldl / spring-webflux-security-jwt Goto Github PK
View Code? Open in Web Editor NEWA JWT authorization and authentication implementation with Spring Reactive Webflux, Spring Boot 2 and Spring Security 5
spring-webflux-security-jwt's People
Contributors
Stargazers
Watchers
Forkers
elementcraft ygypc oskar-szwajkowski dev-nightbrood shengnian when2016 ganforninag salmongit l7871878100 jean-eudes hazelnutsworkgroup stanvl michaelhenrique182 zhulianhai syncmjava crunchdroid dilsh0d xingfudeshi calmriver gfeldmanc fast-family nextinterfaces kindlychung cservin69 kurenairyu xcodeassociated doit01 vaquarkhan hzgao doublespring168 codependent richarddanieloliva ashoksri0 duanyoushi venosov evgeniymelnikov greticani a121bc flandreunx kkhujamov justin-sk janakec19 thaingo sobhan-sai wukongqc soxueren dystudio jhcao23 angelzard83 604331309 julang2 maciekbulanda gabrielf000 lingapsg happylh2012 smingjie tzhanhe ghostidentity mitarothanken bily-amin amanurat deepakhitk jessereyj diogojpb gajjucoderboi vivek-vardhan-k fahmiduldul gulrich1 156420591 kabass brookebryski bc-in bruc3balo mschweyen gg-gk trieuthai cgb-spring-webflux myskillskit hasune cnrainbing bayaabid horizonezodo wagzhispring-webflux-security-jwt's Issues
AuthorizationHeaderPayload should use getResponse()?
Should AuthorizationHeaderPayload be using getResponse()?
`public class AuthorizationHeaderPayload {
public static Mono<String> extract(ServerWebExchange serverWebExchange) {
return Mono.justOrEmpty(serverWebExchange.getResponse()
.getHeaders()
.getFirst(HttpHeaders.AUTHORIZATION));
}
}`
CSRF Token has been associated to this client
Why do i get this message when i use postman. Curl is working perfectly though.
Private API fails with 500 in case of unauthorized user
Even /api/guest api fails.
With following stacktrace:
https://pastebin.com/hbrkyWGi
How to make APIs return 401 instead of failing with 500, if no any creds were specified./
Split responsibility of ServerHttpBearerAuthenticationConverter
I think ServerHttpBearerAuthenticationConverter should be used only for preparing the token for further processing:
Mono.justOrEmpty(serverWebExchange)
.map(JWTAuthorizationPayload::extract)
while authenticating the token:
map(VerifySignedJWT::check)
.map(UsernamePasswordAuthenticationFromJWTToken::create)
is the responsibility of JWTReactiveAuthenticationManager
By the way - instead of providing own implementation of JWTAuthorizationWebFilter just do:
@Component
public class JWTAuthenticationWebFilter extends AuthenticationWebFilter {
public JWTAuthenticationWebFilter(final JWTAuthenticationManager authenticationManager,
final ServerHttpBearerAuthenticationConverter converter,
final UnauthorizedAuthenticationEntryPoint entryPoint) {
super(authenticationManager);
setAuthenticationConverter(converter);
setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
setRequiresAuthenticationMatcher(new JWTHeadersExchangeMatcher()); //this is necessary to match headers. Requests without JWT header should not be taken into account by this filter
}
private static class JWTHeadersExchangeMatcher implements ServerWebExchangeMatcher {
@Override
public Mono<MatchResult> matches(final ServerWebExchange exchange) {
return Mono.just(exchange)
.map(ServerWebExchange::getRequest)
.map(ServerHttpRequest::getHeaders)
.filter(h -> h.containsKey("some JWT header"))
.flatMap($ -> MatchResult.match())
.switchIfEmpty(MatchResult.notMatch());
}
}
}
And don't forget to set:
http
.exceptionHandling()
.authenticationEntryPoint(new UnauthorizedAuthenticationEntryPoint ())
.and()
where
@Component
public class UnauthorizedAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
@Override
public Mono<Void> commence(final ServerWebExchange exchange, final AuthenticationException e) {
return Mono.fromRunnable(() -> exchange.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED));
}
}
otherwise SpringSecurity will still display BasicAuth on requests without headers
Doc not exact :) cost me 1 hour my life
Use that in another request:
$ curl -v -H "Authorization: Authorization: Bearer eyJhbGciOiJIUzI1Ni....." localhost:8080/api/admin
You should be able to consume the API
have to be:
$ curl -v -H "Authorization: Bearer eyJhbGciOiJIUzI1Ni....." localhost:8080/api/admin
How to use this application
Sorry I am new to this whole Spring Security scenario, and also to reactive programming. I am trying to run this application, and I am not sure how I can login to this application and generate the JWT Token for furthur requests to the resource server
Missing @EnableReactiveMethodSecurity
First off thank you for this great example.
I think you forgot to add the @EnableReactiveMethodSecurity annotation on your SecuredRestApplication. I was playing around a bit with your code and removing the ADMIN role from the user setup did not prevent me from accessing the /api/admin endpoint.
@Bean
public MapReactiveUserDetailsService userDetailsRepository() {
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("user")
.roles("USER")
.build();
return new MapReactiveUserDetailsService(user);
}
Then I generated a new token Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwicm9sZXMiOiJST0xFX1VTRVIiLCJpc3MiOiJyYXBoYS5pbyIsImV4cCI6MTU2NzY3OTY3OX0.C67PZ_YX2Zm1_YDMnVgqoxNXCEd4iKOhTM9EdiEA5WI (content can be checked via https://jwt.io/ and verified with the default secret of your app).
This will then still allow me to call the admin endpoint:
$ http -v :8080/api/admin "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwicm9sZXMiOiJST0xFX1VTRVIiLCJpc3MiOiJyYXBoYS5pbyIsImV4cCI6MTU2NzY3OTY3OX0.C67PZ_YX2Zm1_YDMnVgqoxNXCEd4iKOhTM9EdiEA5WI"
GET /api/admin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwicm9sZXMiOiJST0xFX1VTRVIiLCJpc3MiOiJyYXBoYS5pbyIsImV4cCI6MTU2NzY3OTY3OX0.C67PZ_YX2Zm1_YDMnVgqoxNXCEd4iKOhTM9EdiEA5WI
Connection: keep-alive
Host: localhost:8080
User-Agent: HTTPie/0.9.8
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=UTF-8
Expires: 0
Pragma: no-cache
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1 ; mode=block
transfer-encoding: chunked
[
{
"message": "Hello Admin!",
"name": "Admin"
}
]
When adding the @EnableReactiveMethodSecurity annotation, I get the following, as expected:
HTTP/1.1 403 Forbidden
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/plain
Expires: 0
Pragma: no-cache
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1 ; mode=block
transfer-encoding: chunked
Denied
Authentication Token
Hi, How can we generate the auth token?
how to use AccessDecisionManager in your project?
how to use AccessDecisionManager in your project ?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.