Skip to content

Looking for guidance on implementing security in WebFlux/reactive environment #5328

Closed
@edeandrea

Description

@edeandrea

I'm looking for a little guidance on how to implement some things within a WebFlux/reactive environment.

More specifically I'm looking for what the best approach is for building reactive equivalents of the RequestHeaderAuthenticationFilter and the AbstractAuthenticationProcessingFilter.

In our organization we offer our application developers (Spring Boot RESTful services) the way to configure their applications to be either protected by siteminder (RequestHeaderAuthenticationFilter) or by JWT tokens passed as Authorization Bearer headers (custom implementation of AbstractAuthenticationProcessingFilter).

When looking at the reactive filters currently available I see the AuthenticationWebFilter which has a ServerHttpBasicAuthenticationConverter as the authenticationConverter as well as HttpBasicServerAuthenticationEntryPoint set within the ServerAuthenticationFailureHandler.

Am I safe to assume that the correct thing to do would be to build custom authenticationConverters for my 2 use cases? I've already added #5325 for allowing an HttpStatusServerEntryPoint, which is what I would set within the ServerAuthenticationFailureHandler.

Or is it a better approach to build a custom WebFilter?

It just seems there's lots of "stuff" in RequestHeaderAuthenticationFilter (and it's AbstractPreAuthenticatedProcessingFilter parent class) as well as in AbstractAuthenticationProcessingFilter that I'd have to replicate. Plus given #4961 the whole event notification things don't work.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions