|
此版本仍在开发中,尚不被认为是稳定的。对于最新的稳定版本,请使用 Spring Security 6.5.3! |
响应式 X.509 身份验证
与 Servlet X.509 身份验证类似,响应式 x509 身份验证过滤器允许从客户端提供的证书中提取身份验证Tokens。
以下示例显示了响应式 x509 安全配置:
-
Java
-
Kotlin
@Bean
SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
http
.x509(Customizer.withDefaults())
.authorizeExchange((authorize) -> authorize
.anyExchange().authenticated()
);
return http.build();
}@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
x509 { }
authorizeExchange {
authorize(anyExchange, authenticated)
}
}
}在前面的配置中,当两者都不是principalExtractor也不authenticationManager,则使用默认值。
默认主体提取器是SubjectX500PrincipalExtractor,它从客户端提供的证书中提取 CN(公用名)字段。
默认身份验证管理器为ReactivePreAuthenticatedAuthenticationManager,它执行用户帐户验证,检查名称由principalExtractor存在,并且它未锁定、禁用或过期。
以下示例演示了如何覆盖这些默认值:
-
Java
-
Kotlin
@Bean
SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
SubjectX500PrincipalExtractor principalExtractor = new SubjectX500PrincipalExtractor();
principalExtractor.setExtractPrincipalNameFromEmail(true);
UserDetails user = User
.withUsername("luke@monkeymachine")
.password("password")
.roles("USER")
.build();
ReactiveUserDetailsService users = new MapReactiveUserDetailsService(user);
ReactiveAuthenticationManager authenticationManager = new ReactivePreAuthenticatedAuthenticationManager(users);
http
.x509((x509) -> x509
.principalExtractor(principalExtractor)
.authenticationManager(authenticationManager)
)
.authorizeExchange((authorize) -> authorize
.anyExchange().authenticated()
);
return http.build();
}@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
val extractor = SubjectX500PrincipalExtractor()
extractor.setExtractPrincipalNameFromEmail(true)
val user = User
.withUsername("luke@monkeymachine")
.password("password")
.roles("USER")
.build()
val users: ReactiveUserDetailsService = MapReactiveUserDetailsService(user)
val authentication: ReactiveAuthenticationManager = ReactivePreAuthenticatedAuthenticationManager(users)
return http {
x509 {
principalExtractor = extractor
authenticationManager = authentication
}
authorizeExchange {
authorize(anyExchange, authenticated)
}
}
}在前面的示例中,用户名是从emailAddress字段而不是 CN,并且帐户查找使用自定义ReactiveAuthenticationManager实例。
有关配置 Netty 和WebClient或curl命令行工具,以使用双向 TLS 并启用 X.509 身份验证,请参阅 github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509。