序
本文主要研究下reactive模式下的spring security context的获取。
ReactiveSecurityContextHolder
springboot2支持了webflux的异步模式,那么传统的基于threadlocal的SecurityContextHolder就不管用了。spring security5.x也支持了reactive方式,这里就需要使用reactive版本的SecurityContextHolder
spring-security-core-5.0.3.RELEASE-sources.jar!/org/springframework/security/core/context/ReactiveSecurityContextHolder.java
public class ReactiveSecurityContextHolder {
private static final Class> SECURITY_CONTEXT_KEY = SecurityContext.class;
/**
* Gets the {@code Mono} from Reactor {@link Context}
* @return the {@code Mono}
*/
public static Mono getContext() {
return Mono.subscriberContext()
.filter( c -> c.hasKey(SECURITY_CONTEXT_KEY))
.flatMap( c-> c.>get(SECURITY_CONTEXT_KEY));
}
/**
* Clears the {@code Mono} from Reactor {@link Context}
* @return Return a {@code Mono} which only replays complete and error signals
* from clearing the context.
*/
public static Function clearContext() {
return context -> context.delete(SECURITY_CONTEXT_KEY);
}
/**
* Creates a Reactor {@link Context} that contains the {@code Mono}
* that can be merged into another {@link Context}
* @param securityContext the {@code Mono} to set in the returned
* Reactor {@link Context}
* @return a Reactor {@link Context} that contains the {@code Mono}
*/
public static Context withSecurityContext(Mono extends SecurityContext> securityContext) {
return Context.of(SECURITY_CONTEXT_KEY, securityContext);
}
/**
* A shortcut for {@link #withSecurityContext(Mono)}
* @param authentication the {@link Authentication} to be used
* @return a Reactor {@link Context} that contains the {@code Mono}
*/
public static Context withAuthentication(Authentication authentication) {
return withSecurityContext(Mono.just(new SecurityContextImpl(authentication)));
}
}
可以看到,这里利用了reactor提供的context机制来进行异步线程的变量传递。
实例
public Mono getCurrentUser() {
return ReactiveSecurityContextHolder.getContext()
.switchIfEmpty(Mono.error(new IllegalStateException("ReactiveSecurityContext is empty")))
.map(SecurityContext::getAuthentication)
.map(Authentication::getPrincipal)
.cast(User.class);
}
源码解析
ServerHttpSecurity
spring-security-config-5.0.3.RELEASE-sources.jar!/org/springframework/security/config/web/server/ServerHttpSecurity.java
public SecurityWebFilterChain build() {
if(this.built != null) {
throw new IllegalStateException("This has already been built with the following stacktrace. " + buildToString());
}
this.built = new RuntimeException("First Build Invocation").fillInStackTrace();
if(this.headers != null) {
this.headers.configure(this);
}
WebFilter securityContextRepositoryWebFilter = securityContextRepositoryWebFilter();
if(securityContextRepositoryWebFilter != null) {
this.webFilters.add(securityContextRepositoryWebFilter);
}
if(this.csrf != null) {
this.csrf.configure(this);
}
if(this.httpBasic != null) {
this.httpBasic.authenticationManager(this.authenticationManager);
this.httpBasic.configure(this);
}
if(this.formLogin != null) {
this.formLogin.authenticationManager(this.authenticationManager);
if(this.securityContextRepository != null) {
this.formLogin.securityContextRepository(this.securityContextRepository);
}
if(this.formLogin.authenticationEntryPoint == null) {
this.webFilters.add(new OrderedWebFilter(new LoginPageGeneratingWebFilter(), SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING.getOrder()));
this.webFilters.add(new OrderedWebFilter(new LogoutPageGeneratingWebFilter(), SecurityWebFiltersOrder.LOGOUT_PAGE_GENERATING.getOrder()));
}
this.formLogin.configure(this);
}
if(this.logout != null) {
this.logout.configure(this);
}
this.requestCache.configure(this);
this.addFilterAt(new SecurityContextServerWebExchangeWebFilter(), SecurityWebFiltersOrder.SECURITY_CONTEXT_SERVER_WEB_EXCHANGE);
if(this.authorizeExchange != null) {
ServerAuthenticationEntryPoint authenticationEntryPoint = getAuthenticationEntryPoint();
ExceptionTranslationWebFilter exceptionTranslationWebFilter = new ExceptionTranslationWebFilter();
if(authenticationEntryPoint != null) {
exceptionTranslationWebFilter.setAuthenticationEntryPoint(
authenticationEntryPoint);
}
this.addFilterAt(exceptionTranslationWebFilter, SecurityWebFiltersOrder.EXCEPTION_TRANSLATION);
this.authorizeExchange.configure(this);
}
AnnotationAwareOrderComparator.sort(this.webFilters);
List sortedWebFilters = new ArrayList<>();
this.webFilters.forEach( f -> {
if(f instanceof OrderedWebFilter) {
f = ((OrderedWebFilter) f).webFilter;
}
sortedWebFilters.add(f);
});
return new MatcherSecurityWebFilterChain(getSecurityMatcher(), sortedWebFilters);
}
这里的build方法创建了securityContextRepositoryWebFilter并添加到webFilters里头
securityContextRepositoryWebFilter
private WebFilter securityContextRepositoryWebFilter() {
ServerSecurityContextRepository repository = this.securityContextRepository;
if(repository == null) {
return null;
}
WebFilter result = new ReactorContextWebFilter(repository);
return new OrderedWebFilter(result, SecurityWebFiltersOrder.REACTOR_CONTEXT.getOrder());
}
这里创建了ReactorContextWebFilter
ReactorContextWebFilter
spring-security-web-5.0.3.RELEASE-sources.jar!/org/springframework/security/web/server/context/ReactorContextWebFilter.java
public class ReactorContextWebFilter implements WebFilter {
private final ServerSecurityContextRepository repository;
public ReactorContextWebFilter(ServerSecurityContextRepository repository) {
Assert.notNull(repository, "repository cannot be null");
this.repository = repository;
}
@Override
public Mono filter(ServerWebExchange exchange, WebFilterChain chain) {
return chain.filter(exchange)
.subscriberContext(c -> c.hasKey(SecurityContext.class) ? c :
withSecurityContext(c, exchange)
);
}
private Context withSecurityContext(Context mainContext, ServerWebExchange exchange) {
return mainContext.putAll(this.repository.load(exchange)
.as(ReactiveSecurityContextHolder::withSecurityContext));
}
}
这里使用reactor的subscriberContext将SecurityContext注入进去。
小结
基于reactor提供的context机制,spring security也相应提供了ReactiveSecurityContextHolder用来获取当前用户,非常便利。
doc
- 聊聊reactor异步线程的变量传递
- 5.10.3 EnableReactiveMethodSecurity