How does @PreAuthorize work in Reactive Application or how to live without ThreadLocal?

Question

How does @PreAuthorize work in Reactive Application or how to live without ThreadLocal?

Can you explain where @PreAuthorize ("hasRole ('ADMIN')") recommendation processing retrieves the SecurityContext in the reactive application?

The following Spring Security example is a good illustration of this use: https://github.com/spring-projects/spring-security/tree/5.0.0.M4/samples/javaconfig/hellowebflux-method

After checking the source code for Spring Security Webflux, I found some implementations of SecurityContextRepository, but I need a parameter for the boot method as the ServerWebExchange parameter.

I am trying to figure out how to replace the call to SecurityContextHolder.getContext (). getAuthentication () in the standard service (since ThreadLocal is no longer an option in the Reactive Application), but I do not understand how to replace this with a call to SecurityContextRepository without reference to ServerWebExchange.

+4

spring security spring-webflux

etiennepeiniau Oct 17 '17 at 14:59

source share

1 answer

Brian Clozel · Accepted Answer · 2017-10-17T16:25:43+0000

You are right, it is ThreadLocalno longer an option, because request processing is not tied to a specific thread.

Spring Security currently stores authentication information as an attribute ServerWebExchangebound to the current side of the request / response. But you still need this information if you do not have direct access to the current exchange, for example @PreAuthorize.

( Mono Flux), Reactor - , Subscriber ( -, HTTP- ).

SecurityContextHolder , .

Reactor . Spring .

How does @PreAuthorize work in Reactive Application or how to live without ThreadLocal?

More articles: