Comments (4)
darmandovargas3
commented on July 27, 2024
5
Hi Hantsy
I think I finally make it work in my local, I had to add not only .csrf().disable() but also this .httpBasic(), here is my SecurityConfig file:
`package com.example.demo;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import reactor.core.publisher.Mono;
@EnableWebFluxSecurity
class SecurityConfig {
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
return http
.csrf().disable()
.authorizeExchange()
.pathMatchers(HttpMethod.GET, "/posts/**").permitAll()
.pathMatchers(HttpMethod.DELETE, "/posts/**").hasRole("ADMIN")
.pathMatchers("/posts/**").authenticated()
.anyExchange().permitAll()
.and()
.httpBasic()
//.pathMatchers("/users/{user}/**").access(this::currentUserMatchesPath)
.and()
.build();
}
private Mono<AuthorizationDecision> currentUserMatchesPath(Mono<Authentication> authentication, AuthorizationContext context) {
return authentication
.map(a -> context.getVariables().get("user").equals(a.getName()))
.map(granted -> new AuthorizationDecision(granted));
}
@Bean
public MapReactiveUserDetailsService userDetailsRepository() {
UserDetails rob = User.withDefaultPasswordEncoder().username("test").password("test123").roles("USER").build();
UserDetails admin = User.withDefaultPasswordEncoder().username("admin").password("admin123").roles("USER", "ADMIN").build();
return new MapReactiveUserDetailsService(rob, admin);
}
}
`
Any suggestion about it is more than welcome, thanks a lot !
from spring-reactive-sample.
darmandovargas3
commented on July 27, 2024
1
Here is my call just for your information:
CSRF Token has been associated to this clientDiegos-MBP:engine-monitor-speedman-enterprise Diego$ curl -v -X POST http://localhost:8080/posts -u "admin:admin123" -H "Content-Type:application/json" -d "{\ My Post"}"y Post","content":"content of
Note: Unnecessary use of -X or --request, POST is already inferred.
- Trying ::1...
- TCP_NODELAY set
- Connected to localhost (::1) port 8080 (#0)
- Server auth using Basic with user 'admin'
POST /posts HTTP/1.1
Host: localhost:8080
Authorization: Basic YWRtaW46YWRtaW4xMjM=
User-Agent: curl/7.60.0
Accept: /
Content-Type:application/json
Content-Length: 50
- upload completely sent off: 50 out of 50 bytes
< HTTP/1.1 403 Forbidden
< transfer-encoding: chunked
< Content-Type: text/plain
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1 ; mode=block
< Referrer-Policy: no-referrer
< - Connection #0 to host localhost left intact
from spring-reactive-sample.
darmandovargas3
commented on July 27, 2024
Hi Hantsy
I did add this " .csrf().disable()" to the springWebFilterChain, which got rid of the 403 issue, but, now always it returns 401, no matter what username and password I do define in userDetailsRepository and pass them to the curl command:
return http
.csrf().disable()
.authorizeExchange()
.pathMatchers(HttpMethod.GET, "/posts/").permitAll()
.pathMatchers(HttpMethod.DELETE, "/posts/").hasRole("ADMIN")
.pathMatchers("/posts/").authenticated()
//.pathMatchers("/users/{user}/").access(this::currentUserMatchesPath)
.anyExchange().permitAll()
.and()
.build();
This is my UserDetailRepository:
@bean
public MapReactiveUserDetailsService userDetailsRepository() {
UserDetails rob = User.withUsername("test").password("test123").roles("USER").build();
UserDetails admin = User.withUsername("admin").password("admin123").roles("USER", "ADMIN").build();
return new MapReactiveUserDetailsService(rob, admin);
}
and this is my curl call:
curl -v -X POST http://localhost:8080/posts -u "admin:admin123" -H "Content-Type:application/json" -d "{"title":"My Post","content":"content of My Post"}"
This is my response:
Diegos-MBP:engine-monitor-speedman-enterprise Diego$ curl -v -X POST http://localhost:8080/posts -u "admin:admin123" -H "Content-Type:application/json" -d "{"title":"My Post","content":"content of My Post"}"
Note: Unnecessary use of -X or --request, POST is already inferred.
- Trying ::1...
- TCP_NODELAY set
- Connected to localhost (::1) port 8080 (#0)
- Server auth using Basic with user 'admin'
POST /posts HTTP/1.1
Host: localhost:8080
Authorization: Basic YWRtaW46YWRtaW4xMjM=
User-Agent: curl/7.60.0
Accept: /
Content-Type:application/json
Content-Length: 50
- upload completely sent off: 50 out of 50 bytes
< HTTP/1.1 401 Unauthorized - Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Realm"
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1 ; mode=block
< Referrer-Policy: no-referrer
< content-length: 0
< - Connection #0 to host localhost left intact
from spring-reactive-sample.
hantsy
commented on July 27, 2024
@darmandovargas3 Yes, the newest Spring Security reactive added CSRF support. I will review the relative codes.
from spring-reactive-sample.
Related Issues (18)
- spring-boot-starter-data-mongodb-reactive how to limit data HOT 4
- Rsocket sample HOT 1
- session-header project: MapReactiveSessionRepository -> ReactiveMapSessionRepository HOT 1
- Request for WebFilter example that validates the request body HOT 4
- More analysis on performance gain. HOT 3
- @Value("#{@nettyContext.address().getPort()}") HOT 4
- java9 branch ,publisher,reponse timeout HOT 3
- Why don't you use StepVerifier? HOT 3
- Incorrect link in the article HOT 2
- Request for interceptor example HOT 4
- Reactor Kafka example HOT 1
- Reactor RabbitMQ example HOT 1
- Fails to start boot-data-couchbase HOT 3
- A question about onBackpressureBuffer HOT 1
- Fantastic if there was an example of a query scenario with an object join. HOT 1
- The word POST is highly overloaded in this context, consider using something else. HOT 1
- webflux websocket问题 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-reactive-sample.