Spring Security WebFlux - body with Authentication

Вадим Парафенюк picture Вадим Парафенюк · Apr 25, 2018 · Viewed 10.9k times · Source

I want to implement simple Spring Security WebFlux application.
I want to use JSON message like

{
   'username': 'admin', 
   'password': 'adminPassword'
} 

in body (POST request to /signin) to sign in my app.

What did I do?

I created this configuration

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity(proxyTargetClass = true)
public class WebFluxSecurityConfig {

    @Autowired
    private ReactiveUserDetailsService userDetailsService;

    @Autowired
    private ObjectMapper mapper;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(11);
    }

    @Bean
    public ServerSecurityContextRepository securityContextRepository() {
        WebSessionServerSecurityContextRepository securityContextRepository =
                new WebSessionServerSecurityContextRepository();

        securityContextRepository.setSpringSecurityContextAttrName("securityContext");

        return securityContextRepository;
    }

    @Bean
    public ReactiveAuthenticationManager authenticationManager() {
        UserDetailsRepositoryReactiveAuthenticationManager authenticationManager =
                new UserDetailsRepositoryReactiveAuthenticationManager(userDetailsService);

        authenticationManager.setPasswordEncoder(passwordEncoder());

        return authenticationManager;
    }

    @Bean
    public AuthenticationWebFilter authenticationWebFilter() {
        AuthenticationWebFilter filter = new AuthenticationWebFilter(authenticationManager());

        filter.setSecurityContextRepository(securityContextRepository());
        filter.setAuthenticationConverter(jsonBodyAuthenticationConverter());
        filter.setRequiresAuthenticationMatcher(
                ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, "/signin")
        );

        return filter;
    }



    @Bean
    public Function<ServerWebExchange, Mono<Authentication>> jsonBodyAuthenticationConverter() {
        return exchange -> {
            return exchange.getRequest().getBody()
                    .cache()
                    .next()
                    .flatMap(body -> {
                        byte[] bodyBytes = new byte[body.capacity()];
                        body.read(bodyBytes);
                        String bodyString = new String(bodyBytes);
                        body.readPosition(0);
                        body.writePosition(0);
                        body.write(bodyBytes);

                        try {
                            UserController.SignInForm signInForm = mapper.readValue(bodyString, UserController.SignInForm.class);

                            return Mono.just(
                                    new UsernamePasswordAuthenticationToken(
                                            signInForm.getUsername(),
                                            signInForm.getPassword()
                                    )
                            );
                        } catch (IOException e) {
                            return Mono.error(new LangDopeException("Error while parsing credentials"));
                        }
                    });
        };
    }

    @Bean
    public SecurityWebFilterChain securityWebFiltersOrder(ServerHttpSecurity httpSecurity,
                                                          ReactiveAuthenticationManager authenticationManager) {
        return httpSecurity
                .csrf().disable()
                .httpBasic().disable()
                .logout().disable()
                .formLogin().disable()
                .securityContextRepository(securityContextRepository())
                .authenticationManager(authenticationManager)
                .authorizeExchange()
                    .anyExchange().permitAll()
                .and()
                .addFilterAt(authenticationWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
                .build();
    }

}

BUT I use jsonBodyAuthenticationConverter() and it reads Body of the incoming request. Body can be read only once, so I have an error

java.lang.IllegalStateException: Only one connection receive subscriber allowed.

Actually it's working but with exception (session is set in cookies). How can I remake it without this error?

Now I only created something like:

@PostMapping("/signin")
public Mono<Void> signIn(@RequestBody SignInForm signInForm, ServerWebExchange webExchange) {
    return Mono.just(signInForm)
               .flatMap(form -> {
                    UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
                            form.getUsername(),
                            form.getPassword()
                    );

                    return authenticationManager
                            .authenticate(token)
                            .doOnError(err -> {
                                System.out.println(err.getMessage());
                            })
                            .flatMap(authentication -> {
                                SecurityContextImpl securityContext = new SecurityContextImpl(authentication);

                                return securityContextRepository
                                        .save(webExchange, securityContext)
                                        .subscriberContext(ReactiveSecurityContextHolder.withSecurityContext(Mono.just(securityContext)));
                            });
                });
    }

And removed AuthenticationWebFilter from config.

Answer

MuratOzkan picture MuratOzkan · Apr 25, 2018

You are almost there. The following converter worked for me:

public class LoginJsonAuthConverter implements Function<ServerWebExchange, Mono<Authentication>> {

    private final ObjectMapper mapper;

    @Override
    public Mono<Authentication> apply(ServerWebExchange exchange) {
        return exchange.getRequest().getBody()
                .next()
                .flatMap(buffer -> {
                    try {
                        SignInRequest request = mapper.readValue(buffer.asInputStream(), SignInRequest.class);
                        return Mono.just(request);
                    } catch (IOException e) {
                        log.debug("Can't read login request from JSON");
                        return Mono.error(e);
                    }
                })
                .map(request -> new UsernamePasswordAuthenticationToken(request.getUsername(), request.getPassword()));
    }
}

Furthermore, you don't need the sign in controller; spring-security will check each request for you in the filter. Here's how I configured spring-security with an ServerAuthenticationEntryPoint:

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http,
                                                        ReactiveAuthenticationManager authManager) {
    return http
            .csrf().disable()
            .authorizeExchange()
            .pathMatchers("/api/**").authenticated()
            .pathMatchers("/**", "/login", "/logout").permitAll()
            .and().exceptionHandling().authenticationEntryPoint(restAuthEntryPoint)
            .and().addFilterAt(authenticationWebFilter(authManager), SecurityWebFiltersOrder.AUTHENTICATION)
            .logout()
            .and().build();
}

Hope this helps.