public final class JwtIssuerReactiveAuthenticationManagerResolver
extends java.lang.Object
implements org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<org.springframework.web.server.ServerWebExchange>
ReactiveAuthenticationManagerResolver that resolves a JWT-based
ReactiveAuthenticationManager based on the
Issuer in a
signed JWT (JWS).
To use, this class must be able to determine whether or not the `iss` claim is trusted. Recall that
anyone can stand up an authorization server and issue valid tokens to a resource server. The simplest way
to achieve this is to supply a whitelist of trusted issuers in the constructor.
This class derives the Issuer from the `iss` claim found in the ServerWebExchange's
Bearer Token.| Constructor and Description |
|---|
JwtIssuerReactiveAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
Construct a
JwtIssuerReactiveAuthenticationManagerResolver using the provided parameters |
JwtIssuerReactiveAuthenticationManagerResolver(org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
Construct a
JwtIssuerReactiveAuthenticationManagerResolver using the provided parameters
Note that the ReactiveAuthenticationManagerResolver provided in this constructor will need to
verify that the issuer is trusted. |
JwtIssuerReactiveAuthenticationManagerResolver(java.lang.String... trustedIssuers)
Construct a
JwtIssuerReactiveAuthenticationManagerResolver using the provided parameters |
| Modifier and Type | Method and Description |
|---|---|
reactor.core.publisher.Mono<org.springframework.security.authentication.ReactiveAuthenticationManager> |
resolve(org.springframework.web.server.ServerWebExchange exchange)
Return an
AuthenticationManager based off of the `iss` claim found in the request's bearer token |
public JwtIssuerReactiveAuthenticationManagerResolver(java.lang.String... trustedIssuers)
JwtIssuerReactiveAuthenticationManagerResolver using the provided parameterstrustedIssuers - a whitelist of trusted issuerspublic JwtIssuerReactiveAuthenticationManagerResolver(java.util.Collection<java.lang.String> trustedIssuers)
JwtIssuerReactiveAuthenticationManagerResolver using the provided parameterstrustedIssuers - a whitelist of trusted issuerspublic JwtIssuerReactiveAuthenticationManagerResolver(org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
JwtIssuerReactiveAuthenticationManagerResolver using the provided parameters
Note that the ReactiveAuthenticationManagerResolver provided in this constructor will need to
verify that the issuer is trusted. This should be done via a whitelist.
One way to achieve this is with a Map where the keys are the known issuers:
Map<String, ReactiveAuthenticationManager> authenticationManagers = new HashMap<>();
authenticationManagers.put("https://issuerOne.example.org", managerOne);
authenticationManagers.put("https://issuerTwo.example.org", managerTwo);
JwtIssuerReactiveAuthenticationManagerResolver resolver = new JwtIssuerReactiveAuthenticationManagerResolver
(issuer -> Mono.justOrEmpty(authenticationManagers.get(issuer));
The keys in the Map are the whitelist.issuerAuthenticationManagerResolver - a strategy for resolving the ReactiveAuthenticationManager
by the issuerpublic reactor.core.publisher.Mono<org.springframework.security.authentication.ReactiveAuthenticationManager> resolve(org.springframework.web.server.ServerWebExchange exchange)
AuthenticationManager based off of the `iss` claim found in the request's bearer tokenresolve in interface org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<org.springframework.web.server.ServerWebExchange>org.springframework.security.oauth2.core.OAuth2AuthenticationException - if the bearer token is malformed or an ReactiveAuthenticationManager
can't be derived from the issuer