public final class JwtIssuerReactiveAuthenticationManagerResolver
extends java.lang.Object
implements org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<org.springframework.web.server.ServerWebExchange>
ReactiveAuthenticationManagerResolver that resolves a
JWT-based ReactiveAuthenticationManager based on the Issuer in
a signed JWT (JWS).
To use, this class must be able to determine whether or not the `iss` claim is trusted.
Recall that anyone can stand up an authorization server and issue valid tokens to a
resource server. The simplest way to achieve this is to supply a list of trusted
issuers in the constructor.
This class derives the Issuer from the `iss` claim found in the
ServerWebExchange's
Bearer
Token.| Constructor and Description |
|---|
JwtIssuerReactiveAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
Construct a
JwtIssuerReactiveAuthenticationManagerResolver using the
provided parameters |
JwtIssuerReactiveAuthenticationManagerResolver(org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
Construct a
JwtIssuerReactiveAuthenticationManagerResolver using the
provided parameters
Note that the ReactiveAuthenticationManagerResolver provided in this
constructor will need to verify that the issuer is trusted. |
JwtIssuerReactiveAuthenticationManagerResolver(java.lang.String... trustedIssuers)
Construct a
JwtIssuerReactiveAuthenticationManagerResolver using the
provided parameters |
| Modifier and Type | Method and Description |
|---|---|
reactor.core.publisher.Mono<org.springframework.security.authentication.ReactiveAuthenticationManager> |
resolve(org.springframework.web.server.ServerWebExchange exchange)
Return an
AuthenticationManager based off of the `iss` claim found in the
request's bearer token |
public JwtIssuerReactiveAuthenticationManagerResolver(java.lang.String... trustedIssuers)
JwtIssuerReactiveAuthenticationManagerResolver using the
provided parameterstrustedIssuers - a list of trusted issuerspublic JwtIssuerReactiveAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
JwtIssuerReactiveAuthenticationManagerResolver using the
provided parameterstrustedIssuers - a collection of trusted issuerspublic JwtIssuerReactiveAuthenticationManagerResolver(org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
JwtIssuerReactiveAuthenticationManagerResolver using the
provided parameters
Note that the ReactiveAuthenticationManagerResolver provided in this
constructor will need to verify that the issuer is trusted. This should be done via
an allowed list of issuers.
One way to achieve this is with a Map where the keys are the known issuers:
Map<String, ReactiveAuthenticationManager> authenticationManagers = new HashMap<>();
authenticationManagers.put("https://issuerOne.example.org", managerOne);
authenticationManagers.put("https://issuerTwo.example.org", managerTwo);
JwtIssuerReactiveAuthenticationManagerResolver resolver = new JwtIssuerReactiveAuthenticationManagerResolver
((issuer) -> Mono.justOrEmpty(authenticationManagers.get(issuer));
The keys in the Map are the trusted issuers.issuerAuthenticationManagerResolver - a strategy for resolving the
ReactiveAuthenticationManager by the issuerpublic reactor.core.publisher.Mono<org.springframework.security.authentication.ReactiveAuthenticationManager> resolve(org.springframework.web.server.ServerWebExchange exchange)
AuthenticationManager based off of the `iss` claim found in the
request's bearer tokenresolve in interface org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<org.springframework.web.server.ServerWebExchange>org.springframework.security.oauth2.core.OAuth2AuthenticationException - if the bearer token is malformed or an
ReactiveAuthenticationManager can't be derived from the issuer