Reactive X.509 Authentication

Servlet X.509 authentication类似,响应式 x509 认证过滤器允许从客户端提供的证书中提取认证令牌。

下面的示例展示了一个响应式 x509 安全配置:

  • Java

  • Kotlin

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
	http
		.x509(withDefaults())
		.authorizeExchange(exchanges -> exchanges
		    .anyExchange().permitAll()
		);
	return http.build();
}
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        x509 { }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}

在前面的配置中,当既未提供 principalExtractor 也未提供 authenticationManager 时,将使用默认设置。默认 principal 提取器为 SubjectDnX509PrincipalExtractor,它从客户端提供的证书中提取 CN(通用名称)字段。默认认证管理器为 ReactivePreAuthenticatedAuthenticationManager,它执行用户帐户验证,即检查是否存在由 principalExtractor 提取的名称且未锁定、未禁用或未过期。

下面的示例演示了如何重写这些默认值:

  • Java

  • Kotlin

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
	SubjectDnX509PrincipalExtractor principalExtractor =
	        new SubjectDnX509PrincipalExtractor();

	principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)");

	ReactiveAuthenticationManager authenticationManager = authentication -> {
		authentication.setAuthenticated("Trusted Org Unit".equals(authentication.getName()));
		return Mono.just(authentication);
	};

	http
		.x509(x509 -> x509
		    .principalExtractor(principalExtractor)
		    .authenticationManager(authenticationManager)
		)
		.authorizeExchange(exchanges -> exchanges
		    .anyExchange().authenticated()
		);
	return http.build();
}
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
    val customPrincipalExtractor = SubjectDnX509PrincipalExtractor()
    customPrincipalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)")
    val customAuthenticationManager = ReactiveAuthenticationManager { authentication: Authentication ->
        authentication.isAuthenticated = "Trusted Org Unit" == authentication.name
        Mono.just(authentication)
    }
    return http {
        x509 {
            principalExtractor = customPrincipalExtractor
            authenticationManager = customAuthenticationManager
        }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}

在上个示例中,用户名是从客户端证书的 OU 字段中提取的,而不是 CN,并且根本不使用 ReactiveUserDetailsService 执行帐户查找。而如果提供给名为 “Trusted Org Unit” 的 OU 的证书,则对此请求进行认证。

关于如何配置Netty和`WebClient`或`curl`命令行工具以使用双向TLS并启用X.509身份验证,请参阅[role="bare"][role="bare"]https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509。