You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
is the responsibility of JWTReactiveAuthenticationManager
By the way - instead of providing own implementation of JWTAuthorizationWebFilter just do:
@Component
public class JWTAuthenticationWebFilter extends AuthenticationWebFilter {
public JWTAuthenticationWebFilter(final JWTAuthenticationManager authenticationManager,
final ServerHttpBearerAuthenticationConverter converter,
final UnauthorizedAuthenticationEntryPoint entryPoint) {
super(authenticationManager);
setAuthenticationConverter(converter);
setAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(entryPoint));
setRequiresAuthenticationMatcher(new JWTHeadersExchangeMatcher()); //this is necessary to match headers. Requests without JWT header should not be taken into account by this filter
}
private static class JWTHeadersExchangeMatcher implements ServerWebExchangeMatcher {
@Override
public Mono<MatchResult> matches(final ServerWebExchange exchange) {
return Mono.just(exchange)
.map(ServerWebExchange::getRequest)
.map(ServerHttpRequest::getHeaders)
.filter(h -> h.containsKey("some JWT header"))
.flatMap($ -> MatchResult.match())
.switchIfEmpty(MatchResult.notMatch());
}
}
}
I think
ServerHttpBearerAuthenticationConverter
should be used only for preparing the token for further processing:while authenticating the token:
is the responsibility of
JWTReactiveAuthenticationManager
By the way - instead of providing own implementation of
JWTAuthorizationWebFilter
just do:And don't forget to set:
where
otherwise SpringSecurity will still display BasicAuth on requests without headers
The text was updated successfully, but these errors were encountered: