Reactive X.509 驗證

Servlet X.509 驗證類似,反應式 x509 驗證過濾器允許從用戶端提供的憑證中提取驗證權杖。

以下範例顯示反應式 x509 安全性組態

  • Java

  • Kotlin

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
	http
		.x509(withDefaults())
		.authorizeExchange(exchanges -> exchanges
		    .anyExchange().permitAll()
		);
	return http.build();
}
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        x509 { }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}

在上述組態中,當未提供 principalExtractorauthenticationManager 時,將使用預設值。預設主體提取器為 SubjectDnX509PrincipalExtractor,它從用戶端提供的憑證中提取 CN(通用名稱)欄位。預設驗證管理器為 ReactivePreAuthenticatedAuthenticationManager,它執行使用者帳戶驗證,檢查是否存在具有 principalExtractor 提取的名稱的使用者帳戶,以及該帳戶是否未被鎖定、停用或過期。

以下範例示範如何覆寫這些預設值

  • Java

  • Kotlin

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
	SubjectDnX509PrincipalExtractor principalExtractor =
	        new SubjectDnX509PrincipalExtractor();

	principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)");

	ReactiveAuthenticationManager authenticationManager = authentication -> {
		authentication.setAuthenticated("Trusted Org Unit".equals(authentication.getName()));
		return Mono.just(authentication);
	};

	http
		.x509(x509 -> x509
		    .principalExtractor(principalExtractor)
		    .authenticationManager(authenticationManager)
		)
		.authorizeExchange(exchanges -> exchanges
		    .anyExchange().authenticated()
		);
	return http.build();
}
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
    val customPrincipalExtractor = SubjectDnX509PrincipalExtractor()
    customPrincipalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)")
    val customAuthenticationManager = ReactiveAuthenticationManager { authentication: Authentication ->
        authentication.isAuthenticated = "Trusted Org Unit" == authentication.name
        Mono.just(authentication)
    }
    return http {
        x509 {
            principalExtractor = customPrincipalExtractor
            authenticationManager = customAuthenticationManager
        }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}

在先前的範例中,使用者名稱是從用戶端憑證的 OU 欄位而不是 CN 中提取的,並且完全不執行使用 ReactiveUserDetailsService 的帳戶查找。相反地,如果提供給 OU 名為「Trusted Org Unit」的憑證,則請求會通過驗證。

如需設定 Netty 和 WebClientcurl 命令列工具以使用相互 TLS 並啟用 X.509 驗證的範例,請參閱 github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509