Skip to content

Spring 中文文档社区
Spring 中文文档社区

liujuanjuan520 / Spring 中文文档社区
与 Fork 源项目一致

Fork自 开发云 / Spring 中文文档社区

通知 1
Star 0
Fork 0
Spring 中文文档社区
Spring 中文文档社区

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
reactive-authentication-x509.md 3.3 KB
Newer Older
dallascao's avatar
white MT translated  
dallascao 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 
# 反应式 X.509 认证

[Servlet X.509 authentication](../../servlet/authentication/x509.html#servlet-x509)类似,Active X509 身份验证过滤器允许从客户端提供的证书中提取身份验证令牌。

下面是一个反应式 X509 安全配置的示例:

爪哇

```
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
	http
		.x509(withDefaults())
		.authorizeExchange(exchanges -> exchanges
		    .anyExchange().permitAll()
		);
	return http.build();
}
```

Kotlin

```
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        x509 { }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}
```

在上面的配置中,当`principalExtractor``authenticationManager`都不提供时,将使用默认值。默认的主体提取器是`SubjectDnX509PrincipalExtractor`,它从客户机提供的证书中提取 CN(通用名称)字段。默认的身份验证管理器是`ReactivePreAuthenticatedAuthenticationManager`,它执行用户帐户验证,检查具有`principalExtractor`提取的名称的用户帐户是否存在,并且该帐户没有被锁定、禁用或过期。

下一个示例演示了如何重写这些默认值。

爪哇

```
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
	SubjectDnX509PrincipalExtractor principalExtractor =
	        new SubjectDnX509PrincipalExtractor();

	principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)");

	ReactiveAuthenticationManager authenticationManager = authentication -> {
		authentication.setAuthenticated("Trusted Org Unit".equals(authentication.getName()));
		return Mono.just(authentication);
	};

	http
		.x509(x509 -> x509
		    .principalExtractor(principalExtractor)
		    .authenticationManager(authenticationManager)
		)
		.authorizeExchange(exchanges -> exchanges
		    .anyExchange().authenticated()
		);
	return http.build();
}
```

Kotlin

```
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
    val customPrincipalExtractor = SubjectDnX509PrincipalExtractor()
    customPrincipalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)")
    val customAuthenticationManager = ReactiveAuthenticationManager { authentication: Authentication ->
        authentication.isAuthenticated = "Trusted Org Unit" == authentication.name
        Mono.just(authentication)
    }
    return http {
        x509 {
            principalExtractor = customPrincipalExtractor
            authenticationManager = customAuthenticationManager
        }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}
```

在此示例中,从客户端证书的 OU 字段中提取用户名,而不是从 CN 中提取用户名,并且根本不执行使用`ReactiveUserDetailsService`的帐户查找。相反,如果将提供的证书颁发给名为“可信的组织单元”的 OU,则将对请求进行身份验证。

有关配置 Netty 和`WebClient``curl`命令行工具以使用相互 TLS 并启用 X.509 身份验证的示例,请参见[https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509](https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509)