Description
I'm looking for a little guidance on how to implement some things within a WebFlux/reactive environment.
More specifically I'm looking for what the best approach is for building reactive equivalents of the RequestHeaderAuthenticationFilter
and the AbstractAuthenticationProcessingFilter
.
In our organization we offer our application developers (Spring Boot RESTful services) the way to configure their applications to be either protected by siteminder (RequestHeaderAuthenticationFilter
) or by JWT tokens passed as Authorization Bearer headers (custom implementation of AbstractAuthenticationProcessingFilter
).
When looking at the reactive filters currently available I see the AuthenticationWebFilter
which has a ServerHttpBasicAuthenticationConverter
as the authenticationConverter
as well as HttpBasicServerAuthenticationEntryPoint
set within the ServerAuthenticationFailureHandler
.
Am I safe to assume that the correct thing to do would be to build custom authenticationConverter
s for my 2 use cases? I've already added #5325 for allowing an HttpStatusServerEntryPoint
, which is what I would set within the ServerAuthenticationFailureHandler
.
Or is it a better approach to build a custom WebFilter
?
It just seems there's lots of "stuff" in RequestHeaderAuthenticationFilter
(and it's AbstractPreAuthenticatedProcessingFilter
parent class) as well as in AbstractAuthenticationProcessingFilter
that I'd have to replicate. Plus given #4961 the whole event notification things don't work.