In the regular Servlet API for Spring Boot Web, there is the .x509() of the HttpSecurity configuration. But in WebFlux's ServerHttpSecurity I can't find anything similar to it.
What is the equivalent of.x509().subjectPrincipalRegex(...) in WebFlux
End goal is to get the certificate subject as the username sent to ReactiveUserDetailsService.
I don't think there is a X509 filter as there was in the previous versions of spring, so you'll have to implement your own version of it. Fortunately the handy org.springframework.security.web.server.authentication.AuthenticationWebFilter provides the pattern for the authentication flow but you'll have to extract the subject from the cert/request yourself.
The first thing you'll have to do is setup an the authentication converter to extract the subject from the cert.
public class X509AuthenticationConverter implements Function<ServerWebExchange, Mono<Authentication>> {
@Override
public Mono<Authentication> apply(ServerWebExchange exchange) {
ServerHttpRequest request = exchange.getRequest();
try {
// extract credentials here
Authentication authentication = ...
return Mono.just(authentication);
} catch (Exception e) {
// log error here
return Mono.empty();
}
}
}
Now on our config we create the filter and converter beans and set the converter into the filter.
@Bean
public X509AuthenticationConverter x509AuthenticationConverter() {
return new X509AuthenticationConverter();
}
@Bean
public AuthenticationWebFilter x509AuthenticationWebFilter(ReactiveAuthenticationManager reactiveAuthenticationManager,
X509AuthenticationConverter x509AuthenticationConverter) {
AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(reactiveAuthenticationManager);
authenticationWebFilter.setAuthenticationConverter(x509AuthenticationConverter);
return authenticationWebFilter;
}
And finally configure security
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http, AuthenticationWebFilter x509AuthenticationWebFilter) {
return http
.addFilterAt(x509AuthenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION)
//...
.build();
}
This will work just as well with other authentication mechanisms.
