对于最新的稳定版本,请使用 Spring Security 6.3.3! |
对于最新的稳定版本,请使用 Spring Security 6.3.3! |
与 Servlet X.509 身份验证类似,反应式 x509 身份验证过滤器允许从客户端提供的证书中提取身份验证令牌。
以下示例显示了反应式 x509 安全配置:
-
Java
-
Kotlin
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
http
.x509(withDefaults())
.authorizeExchange(exchanges -> exchanges
.anyExchange().permitAll()
);
return http.build();
}
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
x509 { }
authorizeExchange {
authorize(anyExchange, authenticated)
}
}
}
在前面的配置中,如果 both 和 未提供,则使用默认值。默认主体提取程序是 ,它从客户端提供的证书中提取 CN(通用名称)字段。默认身份验证管理器是 ,它执行用户帐户验证,检查是否存在具有提取名称的用户帐户,以及该帐户是否未被锁定、禁用或过期。principalExtractor
authenticationManager
SubjectDnX509PrincipalExtractor
ReactivePreAuthenticatedAuthenticationManager
principalExtractor
以下示例演示了如何覆盖这些默认值:
-
Java
-
Kotlin
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
SubjectDnX509PrincipalExtractor principalExtractor =
new SubjectDnX509PrincipalExtractor();
principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)");
ReactiveAuthenticationManager authenticationManager = authentication -> {
authentication.setAuthenticated("Trusted Org Unit".equals(authentication.getName()));
return Mono.just(authentication);
};
http
.x509(x509 -> x509
.principalExtractor(principalExtractor)
.authenticationManager(authenticationManager)
)
.authorizeExchange(exchanges -> exchanges
.anyExchange().authenticated()
);
return http.build();
}
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
val customPrincipalExtractor = SubjectDnX509PrincipalExtractor()
customPrincipalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)")
val customAuthenticationManager = ReactiveAuthenticationManager { authentication: Authentication ->
authentication.isAuthenticated = "Trusted Org Unit" == authentication.name
Mono.just(authentication)
}
return http {
x509 {
principalExtractor = customPrincipalExtractor
authenticationManager = customAuthenticationManager
}
authorizeExchange {
authorize(anyExchange, authenticated)
}
}
}
在前面的示例中,用户名是从客户端证书的 OU 字段而不是 CN 中提取的,并且根本不执行账户查找。相反,如果提供的证书颁发给名为“Trusted Org Unit”的 OU,则会对请求进行身份验证。ReactiveUserDetailsService
有关配置 Netty 和/或命令行工具以使用双向 TLS 并启用 X.509 身份验证的示例,请参阅 github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509。WebClient
curl