How do I implement token based authentication on a spring webflux api?
I've tried working with both ReactiveAuthenticationManager and a WebFilter. In both cases, the execution flow is some form of this:
@Component
@RequiredArgsConstructor
public class JwtReactiveAuthenticationManager implements ReactiveAuthenticationManager {
private final JwtTokenProvider jwtTokenProvider;
private final UserRepository userRepository;
@Override
public Mono<Authentication> authenticate(Authentication authentication) {
String token = authentication.getCredentials().toString();
if (!jwtTokenProvider.validateToken(token)) {
System.out.println("Invalid token");
return Mono.empty();
}
String username = jwtTokenProvider.getUsernameFromToken(token);
return userRepository.findByEmail(username)
.switchIfEmpty(Mono.error(new RuntimeException("User not found")))
.map(user -> {
System.out.println("hydrated user from token. File is JRAM");
System.out.println(user); // this prints user
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
user.getUsername(),
null,
Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"))
);
return authenticationToken;
});
}
}
As commented above, token is decoded and user is hydrated correctly. I believe the problem stems from binding it to the ReactiveSecurityContextHolder. I tried different variations of the below:
SecurityContextImpl securityContext = new SecurityContextImpl(authentication);
Context context = ReactiveSecurityContextHolder.withSecurityContext(Mono.just(securityContext));
In one instance, I tried setting security context and returning that to the mono. In another instance, I tried just setting the authentication directly on ReactiveSecurityContextHolder.withAuthentication. No dice. When I was working with ReactiveAuthenticationManager, I also tried ServerSecurityContextRepository
@Override
public Mono<SecurityContext> load(ServerWebExchange swe) {
String authHeader = swe.getRequest().getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
if (authHeader != null && authHeader.startsWith("Bearer ")) {
String authToken = authHeader.substring(7);
Authentication auth = new UsernamePasswordAuthenticationToken(authToken, authToken);
return authenticationManager.authenticate(auth).map(SecurityContextImpl::new);
} else {
return Mono.empty();
}
}
Didn't help. Trying to read authentication from the ReactiveSecurityContextHolder in a subsequent mono method fails with a NullPointerException. So I'm guessing the setting breaks but I can't debug that cuz switchIfEmpty and onErrorResume just print out whatever they're given all the same.
Most stack overflow answers on the subject are outdated, using deprecated methods. Also none of these work for me while retrieving the user. Authentication is probably failing but at some point, I could access user parameter although it was blank. Other times, request just backs off with 401
Below is the securityConfig
http
.csrf(ServerHttpSecurity.CsrfSpec::disable)
.cors(httpSecurityCorsConfigurer -> httpSecurityCorsConfigurer.configurationSource(request -> {
CorsConfiguration config = new CorsConfiguration();
// bunch of stuff
return config;
}))
/*.authenticationManager(authenticationManager)
.securityContextRepository(securityContextRepository)*/
.authorizeExchange(authorizeExchangeSpec -> {
authorizeExchangeSpec.pathMatchers(
"api/v1/user/login",
"api/v1/user/register","webjars/**",
"/v3/api-docs/**", "/swagger-ui.html",
"/swagger-ui/**").permitAll();
authorizeExchangeSpec.anyExchange().authenticated();
})
.addFilterAt(jwtAuthenticationFilter, SecurityWebFiltersOrder.AUTHENTICATION)
.build();
Kindly help spell out the necessary steps to pass my user to the security context and retrieve it from controller methods. I'm on spring boot 3.3.4. Thanks
Solution
With a simplistic version of your JwtReactiveAuthenticationManager and the below code, I'm able to access Authentication inside a controller.
I hope I understood the issue correct.
SecurityConfig
import no.mycompany.webflux.JwtReactiveAuthenticationManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import reactor.core.publisher.Mono;
@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {
private final JwtReactiveAuthenticationManager authenticationManager;
public SecurityConfig(JwtReactiveAuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
return http
.csrf(ServerHttpSecurity.CsrfSpec::disable)
.authorizeExchange(exchanges -> exchanges
.anyExchange().hasRole("USER")
)
.addFilterAt(jwtAuthenticationFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
.build();
}
private AuthenticationWebFilter jwtAuthenticationFilter() {
var authenticationWebFilter = new AuthenticationWebFilter(authenticationManager);
authenticationWebFilter.setServerAuthenticationConverter(exchange -> {
String authHeader = exchange.getRequest().getHeaders().getFirst("Authorization");
if (authHeader != null && authHeader.startsWith("Bearer ")) {
var token = authHeader.substring(7);
// instance is passed to JwtReactiveAuthenticationManager#authenticate
return Mono.just(new UsernamePasswordAuthenticationToken(token, token));
}
return Mono.empty();
});
return authenticationWebFilter;
}
}
Controller
import org.springframework.security.core.Authentication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import reactor.core.publisher.Mono;
@RestController
@RequestMapping("/api")
public class SomeController {
@GetMapping
public Mono<String> sayHello(Authentication authentication) {
return Mono.just("Hello World " + authentication.getName());
}
}
Update Added implementation of my mock JwtReactiveAuthenticationManager
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;
import reactor.core.publisher.Mono;
import java.util.Collections;
@Component
public class JwtReactiveAuthenticationManager implements ReactiveAuthenticationManager {
@Override
public Mono<Authentication> authenticate(Authentication authentication) {
// to get token: authentication.getCredentials().toString();
// for this demo, we return a fixed user
return Mono.just(new UsernamePasswordAuthenticationToken(
"user1",
null,
Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER")))
);
}
}
build.gradle.kts
plugins {
java
id("org.springframework.boot") version "3.4.1"
id("io.spring.dependency-management") version "1.1.7"
}
group = "no.mycompany"
version = "0.0.1-SNAPSHOT"
java {
toolchain {
languageVersion = JavaLanguageVersion.of(21)
}
}
repositories {
mavenCentral()
}
dependencies {
implementation("org.springframework.boot:spring-boot-starter-security")
implementation("org.springframework.boot:spring-boot-starter-webflux")
testImplementation("org.springframework.boot:spring-boot-starter-test")
}
tasks.withType<Test> {
useJUnitPlatform()
}
- Spring Boot 2.7.18 compatibility issue with spring-cloud
- Caused by: java.lang.ClassNotFoundException: org.springframework.boot.context.properties.ConfigurationBeanFactoryMetadata
- not able to mock functional interface when testing controller and functional interface is being called from controller
- Upgrading to Spring Boot 3/ JDK 17/ Spring 6 - JAXB conflict issue IllegalAnnotationsException
- Connecting to AxonServer node failed: UNAVAILABLE: Network closed for unknown reason
- How do I force a Spring Boot JVM into UTC time zone?
- Set chunksize dynamically after fetching from db
- How to access a value defined in the application.properties file in Spring Boot
- GET Request Returning Empty Object in SpringBoot
- How to start up spring-boot application via command line?
- How to add custom ApplicationContextInitializer to a spring boot application?
- OpenAPI vs swagger
- Spring Boot Java Config Set Session Timeout
- Spring Boot 3.4.0 An error occurred while attempting to decode the Jwt: Unable to obtain X509Certificate from current request
- How to run Swagger 3 on Spring Boot 3
- Spring boot + React JS Reset password implementation
- Component scan for configuration class could not be used with conditions in REGISTER_BEAN
- Failed to load ApplicationContext for [WebMergedContextConfiguration@7f5614f9 testClass = com.proj.my.controller.OrderControllerTest,
- No primary or default constructor found for interface java.util.List Rest API Spring boot
- Feign client and Spring retry
- How do you implement swagger ui into a Spring Boot 3.4 project
- parse Json in Java -> INCLUDE_SOURCE_IN_LOCATION` disabled
- Springboot with Spring-cloud-aws and cloudwatch metrics
- NullPointerException Problem when trying to mock Elastic Search's RestHighLevelClient
- Transaction management of JPA and external API calls
- How to extends PostgreSQL dialect to add support for some custom column type? No type mapping for org.hibernate.type.SqlTypes code: 1111 (OTHER)
- How do I enable CORS headers in the Swagger /v2/api-docs offered by Springfox Swagger?
- Springboot Oauth2 Principal object
- Use Keycloak Spring Adapter with Spring Boot 3
- JPA query for deleting relations