1

我正在使用带有 webflux 安全性的 Spring boot 2.5.6。

@EnableWebFluxSecurity
public class AdminSecurityConfig {
          
    @Bean
    public SecurityWebFilterChain securitygWebFilterChain(final ServerHttpSecurity http,
        final ReactiveAuthenticationManager authManager,
        final ServerSecurityContextRepository securityContextRepository,
        final MyAuthenticationFailureHandler failureHandler) {
               
        http.securityContextRepository(securityContextRepository);

        return http.authorizeExchange().matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
                        .pathMatchers(props.getSecurity().getIgnorePatterns()).permitAll()
                        .pathMatchers("/api/v1/service/test").hasAuthority("DEFAULT")
                        .anyExchange().authenticated()
                        .and()
                        .formLogin()
                        .loginPage("/login")
                        .authenticationSuccessHandler(authSuccessHandler())
                        .and()
                        .exceptionHandling()
                        .authenticationEntryPoint((exchange, exception) -> Mono.error(exception))
                        .accessDeniedHandler((exchange, exception) -> Mono.error(exception))
                        .and()
                        .build();
            }
    
    @Bean
    public PasswordEncoder passwordEncoder() {
        // return new BCryptPasswordEncoder();
        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
    }
    
    @Bean
    public ReactiveAuthenticationManager authenticationManager() {
        final UserDetailsRepositoryReactiveAuthenticationManager authenticationManager = new UserDetailsRepositoryReactiveAuthenticationManager(
                    userDetailsService);
        authenticationManager.setPasswordEncoder(passwordEncoder());
        return authenticationManager;
    }
    
    @Bean
    public ServerSecurityContextRepository securityContextRepository() {
        final WebSessionServerSecurityContextRepository securityContextRepository = new WebSessionServerSecurityContextRepository();
        securityContextRepository.setSpringSecurityContextAttrName("my-security-context");
        return securityContextRepository;
    }
}

Mono<Principal> principal = ReactiveSecurityContextHolder.getContext().map(SecurityContext::getAuthentication).cast(Principal.class);

final MyAppUserDetails user = (MyAppUserDetails) ((UsernamePasswordAuthenticationToken) principal) .getPrincipal();

在这里,我可以检索登录的用户详细信息。MyAppUserDetails 将包含用户详细信息,例如名字、姓氏、电子邮件、用户 ID、组织 ID、...。现在,我想在用户登录后在会话中更新用户详细信息,比如更改用户名而不询问用户注销和登录。

我尝试了下面的代码,但不确定如何设置凭据并将更新的用户设置到安全上下文中,以便下一次从安全上下文获取当前用户调用将返回更新的用户。

final MyAppUserDetails appUser = new MyAppUserDetails("firstName", "lastName", "email", 1, 4);
        UsernamePasswordAuthenticationToken authentication  = new UsernamePasswordAuthenticationToken(appUser, ....);
        ReactiveSecurityContextHolder.withAuthentication(authentication);
4

1 回答 1

0
  1. 从请求中获取会话。
  2. 从会话中获取上下文
  3. 创建新用户
  4. 在上下文中设置新用户
public Mono<ServerResponse> updateSession(ServerRequest request) {
       return request.exchange().getSession().flatMap(session -> {
          final SecurityContext context = session.getAttribute("app-security-context");
          AppUserDetails newUser = AppUserDetails.of(...);
          UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(newUser, pwd, authorities);
          context.setAuthentication(token);
       }
    }

它正在工作,但不确定为什么我们需要使用以下方法保存上下文。

serverSecurityContextRepository.save(request.exchange(), context);

它无需上述调用即可工作。

于 2021-11-20T15:57:18.517 回答