spring-security Spring Webflux的WebClient的用户名和密码放在哪里?

n9vozmp4  于 2022-11-11  发布在  Spring
关注(0)|答案(3)|浏览(259)

我尝试用路由器类和处理器类来制作Spring webflux安全应用程序。首先,下面的代码是webflux安全的配置代码。

@Configuration
@EnableWebFluxSecurity
public class BlogWebFluxSecurityConfig {

    @Bean
    public MapReactiveUserDetailsService userDetailsService() {

        UserDetails userWebFlux = User.withUsername("joseph").password("password").roles("USER").build();
        return new MapReactiveUserDetailsService(userWebFlux);
    }

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        http
        .authorizeExchange()
        .pathMatchers("/route/user/all", "/route/post/all").permitAll()
        .pathMatchers(HttpMethod.GET, "/route/user/**", "/route/post/**").hasRole("USER")
        .anyExchange().authenticated()
        .and()
        .httpBasic();

        return http.build();
    } 
}

接下来的代码是关于路由器类的。

@Configuration
@EnableWebFlux
public class BlogWebFluxEndpointRouter {

    @Bean
    public RouterFunction<ServerResponse> routesUser(UserHandler handler) {

        return RouterFunctions.route(RequestPredicates.GET("/route/user/all"), handler::findAll)
                    .andRoute(RequestPredicates.GET("/route/user/id/{id}"), handler::findById)
                    .andRoute(RequestPredicates.GET("/route/user/username/{username}"), handler::findByUsername)
                    .andRoute(RequestPredicates.GET("/route/user/email/{email}"), handler::findByEmail)
                    .andRoute(RequestPredicates.POST("/route/user/create"), handler::register)
                    .andRoute(RequestPredicates.GET("/route/user/login/{username}/{password}"), handler::authenticate);
    }

    @Bean
    public RouterFunction<ServerResponse> routesPost(PostHandler handler) {

        return RouterFunctions.route(RequestPredicates.GET("/route/post/all"), handler::findAll)
                    .andRoute(RequestPredicates.GET("/route/post/id/{id}"), handler::findById)
                    .andRoute(RequestPredicates.GET("/route/post/delete/{id}"), handler::deleteById)
                    .andRoute(RequestPredicates.POST("/route/post/create"), handler::create)
                    .andRoute(RequestPredicates.PUT("/route/post/{id}/{content}"), handler::edit);
    }
}

即使网络是休息的Web服务,但我使用WebFlux的WebClient类。

public void functionOnUserDocument() { 
        client.get().uri("/route/user/all").accept(MediaType.APPLICATION_JSON).exchange()
                .flatMapMany(response -> response.bodyToFlux(User.class))
                .subscribe(u -> System.out.println("All Users : " + u.getUsername() + ":" + u.getEmail() + ":" + u.getFullname()));

        client.get().uri("/route/user/id/{id}", "0002").accept(MediaType.APPLICATION_JSON).exchange()
                .flatMap(response -> response.bodyToMono(User.class))
                .subscribe(u -> System.out.println("GET by Id : " + u.getUsername() + ":" + u.getEmail() + ":" + u.getFullname()));

        client.get().uri("/route/user/username/{username}", "jina").accept(MediaType.APPLICATION_JSON).exchange()
                .flatMap(response -> response.bodyToMono(User.class))
                .subscribe(u -> System.out.println("Get by username : " + u.getUsername() + ":" + u.getEmail() + ":" + u.getFullname()));

        client.get().uri("/route/user/email/{email}", "myson@college.ac.kr").accept(MediaType.APPLICATION_JSON).exchange()
                .flatMap(response -> response.bodyToMono(User.class))
                .subscribe(u -> System.out.println("Get By Email : " + u.getUsername() + ":" + u.getEmail() + ":" + u.getFullname()));

        client.get().uri("/route/user/login/{username}/{password}", "julian", "password").exchange()
                .map(ClientResponse::statusCode).subscribe(response -> System.out.println("Login : " + response.getReasonPhrase()));

        User user = new User("0005", 4L, "jane", "password", "aaa@bbb.com", "누나", "USER");

        client.post().uri("/route/user/create").body(Mono.just(user), User.class).exchange() 
                .map(ClientResponse::statusCode).subscribe(response -> System.out.println("User Creation: " + response.getReasonPhrase()));
    }

因为我做了webflux安全配置,肯定有些webclient不能执行,禁止如下,

Login : Unauthorized
User Creation: Forbidden

我不使用curl。所以我想知道的是我的WebClient方法是什么,用户名和密码必须在哪里找到并传递给WebClient类。任何回复都将是感谢的。

iecba09b

iecba09b1#

从Spring 5.1开始,您应该使用HttpHeaders#setBasicAuth设置基本身份验证,如下所示:

webClient
    .get()
    .uri("https://example.com")
    .headers(headers -> headers.setBasicAuth("username", "password"))
    .exchange()
    ....

以前使用.filter(basicAuthentication("user", "password")的方法现在已被弃用。

nwlqm0z1

nwlqm0z12#

HTTP基本身份验证要求在Authorization标头中使用Base64格式编码的用户名和密码。此外,您不需要具有登录端点,因为此信息应随每个请求一起发送。
将Basic Auth标头添加到客户端中的每个调用,如下所示:

String basicAuthHeader = "basic " + Base64Utils.encodeToString((username + ":" + password).getBytes())

client.get().uri("/route/user/all")
      .accept(MediaType.APPLICATION_JSON)
      .header(HttpHeaders.AUTHORIZATION, basicAuthHeader)
      .exchange()
      .flatMapMany(response -> response.bodyToFlux(User.class))
      .subscribe(u -> System.out.println("All Users : " + u.getUsername() + ":" + u.getEmail() + ":" + u.getFullname()));
dl5txlt9

dl5txlt93#

Spring提供了API,用于通过ClientFilters向WebClient提供基本的身份验证参数。
您可以使用较少的自定义编码来实现与设置Authorization头文件相同的结果。
请参阅以下来自Spring文档的代码片段:

import static org.springframework.web.reactive.function.client.ExchangeFilterFunctions.basicAuthentication;

    WebClient client = WebClient.builder()
            .filter(basicAuthentication("user", "password"))
            .build();

相关问题