New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide auto-configuration for WebFlux-based security #9925
Comments
This is already planned, although we don't appear to have a specific issue for it. We can use this one. Spring Security's WebFlux support is still a work in progress so this can't be implemented at the moment. We may be able to do this in M5, but it certainly won't be in M4. |
@rwinch We started to investigate how the auto-configuration for reactive security might look and hit a few things in the Spring Security code that might want to be reorganized. Specifically, classes from A few good examples are I'm not sure on the best strategy for keeping these types distinct. I guess you could use In Boot we faced a similar problem with the server support. We decided to organize things primarily by package. We also put checkstyle import rules in place to ensure that servlet/reactive classes weren't accidentally used in the wrong place. Perhaps the Framework team might also have some advice about how they structured things. |
Can you elaborate on the problem?
This is not consistent with Spring Framework either. They have reactor treated as an optional dependency in quite a few places (spring-core, spring-web, spring-messaging, ...).
As far as I'm aware we are rather consistent with how Framework structured reactive. When speaking with them, they chose different names for the reactive counterparts, but at times create the same class name in different packages. Honestly, I've considered having a Reactive prefix, to the Reactive APIs (like Spring Data) but I'm not entirely sold on this approach either. |
I think I was worried that it will start to get hard to describe when certain variations should be used. For example, There is the
Yes that's true, I guess moving stuff to
They seem to have quite an interesting approach. The have a lot of
Some of those are still grouped at the package level ( I really don't see a perfect solution, and it's a super hard problem to solve. Perhaps as more things get added it'll be clearer to see how to organize things. I just wanted to give you a heads-up that it might want some consideration. |
@philwebb Thanks for the additional information
I've considered Overall, I'm not entirely convinced I like this advice but up until now I have tried to follow it. I like the idea of
Personally, I think this is less of an issue. If you are in a reactive application, you need to have reactive responses (i.e.
Thanks for the heads up. It is very much appreciated and on my mind. I mostly wanted to be certain we weren't holding up Spring Boot's progress on reactive Spring Security integration. |
When I created a Spring Boot 2.0.0.M3 project, I found the existing security starter did not include
spring-secuirty-webflux
. I had to add this artifact explicitly in pom.xml.I think it is better to create a
spring-boot-starter-security-webflux
starter to addspring-security-webflux
into project dependencies and take over the responsibility of@EnableWebFluxSecurity
.The text was updated successfully, but these errors were encountered: