Spring-security: define the secured URLs within an application dynamically in Webflux

Created on 23 Dec 2018  路  3Comments  路  Source: spring-projects/spring-security

Summary

hi,i am currently using spring cloud gateway,so i want to integrate spring security for the permission management.how to define the secured URLs within an application dynamically in Webflux?As described here https://docs.spring.io/spring-security/site/docs/5.0.10.RELEASE/reference/htmlsingle/#appendix-faq-dynamic-url-metadata,it seems it's only for servlet,but not for webflux.is there a way to do the samething?

Version

5.0.10.RELEASE

stackoverflow
Source
picture xingfudeshi

Most helpful comment

@xingfudeshi My apologies for the delayed response. The team was on vacation for the holidays. Did you get your issue resolved?

For WebFlux it is much easier. You can do something like this:

@Component
public class Check implements ReactiveAuthorizationManager<AuthorizationContext> {

    @Override
    public Mono<AuthorizationDecision> check(Mono<Authentication> authentication,
            AuthorizationContext context) {

        ServerWebExchange exchange = context.getExchange();
        // do logic and return result ...
        // hard code for demo

        return Mono.just(new AuthorizationDecision(false)); 
    }
}

Then configure it

@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, ReactiveAuthorizationManager<AuthorizationContext> check) {
    http
        .authorizeExchange()
            .anyExchange().access(check);
    return http.build();
}

PS: As the team can be out of the office at times, we typically recommend you place questions on StackOverflow so the entire community is looking at them vs just the Security team.

picture rwinch on 7 Jan 2019
😄3

All 3 comments

what a pity?no one response?!

xingfudeshi picture xingfudeshi on 30 Dec 2018

@xingfudeshi My apologies for the delayed response. The team was on vacation for the holidays. Did you get your issue resolved?

For WebFlux it is much easier. You can do something like this:

@Component
public class Check implements ReactiveAuthorizationManager<AuthorizationContext> {

    @Override
    public Mono<AuthorizationDecision> check(Mono<Authentication> authentication,
            AuthorizationContext context) {

        ServerWebExchange exchange = context.getExchange();
        // do logic and return result ...
        // hard code for demo

        return Mono.just(new AuthorizationDecision(false)); 
    }
}

Then configure it

@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, ReactiveAuthorizationManager<AuthorizationContext> check) {
    http
        .authorizeExchange()
            .anyExchange().access(check);
    return http.build();
}

PS: As the team can be out of the office at times, we typically recommend you place questions on StackOverflow so the entire community is looking at them vs just the Security team.

rwinch picture rwinch on 7 Jan 2019
😄3

@rwinch Thank u sir.i am very happy to get response from u.i've resolved that issue with the similar way as you said above.thanks again.

xingfudeshi picture xingfudeshi on 8 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

berniegp picture berniegp  路  3Comments
qq494679975 picture qq494679975  路  3Comments
mstoecklmayr picture mstoecklmayr  路  3Comments
mraible picture mraible  路  3Comments
joshlong picture joshlong  路  3Comments