Class JwtIssuerReactiveAuthenticationManagerResolver
java.lang.Object
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerReactiveAuthenticationManagerResolver
- All Implemented Interfaces:
ReactiveAuthenticationManagerResolver<org.springframework.web.server.ServerWebExchange>
public final class JwtIssuerReactiveAuthenticationManagerResolver
extends Object
implements ReactiveAuthenticationManagerResolver<org.springframework.web.server.ServerWebExchange>
An implementation of
ReactiveAuthenticationManagerResolver that resolves a
JWT-based ReactiveAuthenticationManager based on the Issuer in
a signed JWT (JWS).
To use, this class must be able to determine whether the `iss` claim is trusted. Recall
that anyone can stand up an authorization server and issue valid tokens to a resource
server. The simplest way to achieve this is to supply a set of trusted issuers in the
constructor.
This class derives the Issuer from the `iss` claim found in the
ServerWebExchange's
Bearer
Token.- Since:
- 5.3
-
Constructor Summary
ConstructorsConstructorDescriptionJwtIssuerReactiveAuthenticationManagerResolver(String... trustedIssuers) Deprecated, for removal: This API element is subject to removal in a future version.JwtIssuerReactiveAuthenticationManagerResolver(Collection<String> trustedIssuers) Deprecated, for removal: This API element is subject to removal in a future version.JwtIssuerReactiveAuthenticationManagerResolver(ReactiveAuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) Construct aJwtIssuerReactiveAuthenticationManagerResolverusing the provided parameters Note that theReactiveAuthenticationManagerResolverprovided in this constructor will need to verify that the issuer is trusted. -
Method Summary
Modifier and TypeMethodDescriptionfromTrustedIssuers(String... trustedIssuers) Construct aJwtIssuerReactiveAuthenticationManagerResolverusing the provided parametersfromTrustedIssuers(Collection<String> trustedIssuers) Construct aJwtIssuerReactiveAuthenticationManagerResolverusing the provided parametersfromTrustedIssuers(Predicate<String> trustedIssuers) Construct aJwtIssuerReactiveAuthenticationManagerResolverusing the provided parametersreactor.core.publisher.Mono<ReactiveAuthenticationManager>resolve(org.springframework.web.server.ServerWebExchange exchange) Return anAuthenticationManagerbased off of the `iss` claim found in the request's bearer token
-
Constructor Details
-
JwtIssuerReactiveAuthenticationManagerResolver
@Deprecated(since="6.2", forRemoval=true) public JwtIssuerReactiveAuthenticationManagerResolver(String... trustedIssuers) Deprecated, for removal: This API element is subject to removal in a future version.Construct aJwtIssuerReactiveAuthenticationManagerResolverusing the provided parameters- Parameters:
trustedIssuers- an array of trusted issuers
-
JwtIssuerReactiveAuthenticationManagerResolver
@Deprecated(since="6.2", forRemoval=true) public JwtIssuerReactiveAuthenticationManagerResolver(Collection<String> trustedIssuers) Deprecated, for removal: This API element is subject to removal in a future version.Construct aJwtIssuerReactiveAuthenticationManagerResolverusing the provided parameters- Parameters:
trustedIssuers- a collection of trusted issuers
-
JwtIssuerReactiveAuthenticationManagerResolver
public JwtIssuerReactiveAuthenticationManagerResolver(ReactiveAuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) Construct aJwtIssuerReactiveAuthenticationManagerResolverusing the provided parameters Note that theReactiveAuthenticationManagerResolverprovided in this constructor will need to verify that the issuer is trusted. This should be done via an allowed set of issuers. One way to achieve this is with aMapwhere the keys are the known issuers:Map<String, ReactiveAuthenticationManager> authenticationManagers = new HashMap<>(); authenticationManagers.put("https://issuerOne.example.org", managerOne); authenticationManagers.put("https://issuerTwo.example.org", managerTwo); JwtIssuerReactiveAuthenticationManagerResolver resolver = new JwtIssuerReactiveAuthenticationManagerResolver ((issuer) -> Mono.justOrEmpty(authenticationManagers.get(issuer));The keys in theMapare the trusted issuers.- Parameters:
issuerAuthenticationManagerResolver- a strategy for resolving theReactiveAuthenticationManagerby the issuer
-
-
Method Details
-
fromTrustedIssuers
public static JwtIssuerReactiveAuthenticationManagerResolver fromTrustedIssuers(String... trustedIssuers) Construct aJwtIssuerReactiveAuthenticationManagerResolverusing the provided parameters- Parameters:
trustedIssuers- an array of trusted issuers- Since:
- 6.2
-
fromTrustedIssuers
public static JwtIssuerReactiveAuthenticationManagerResolver fromTrustedIssuers(Collection<String> trustedIssuers) Construct aJwtIssuerReactiveAuthenticationManagerResolverusing the provided parameters- Parameters:
trustedIssuers- a collection of trusted issuers- Since:
- 6.2
-
fromTrustedIssuers
public static JwtIssuerReactiveAuthenticationManagerResolver fromTrustedIssuers(Predicate<String> trustedIssuers) Construct aJwtIssuerReactiveAuthenticationManagerResolverusing the provided parameters- Parameters:
trustedIssuers- a predicate to validate issuers- Since:
- 6.2
-
resolve
public reactor.core.publisher.Mono<ReactiveAuthenticationManager> resolve(org.springframework.web.server.ServerWebExchange exchange) Return anAuthenticationManagerbased off of the `iss` claim found in the request's bearer token- Specified by:
resolvein interfaceReactiveAuthenticationManagerResolver<org.springframework.web.server.ServerWebExchange>- Throws:
OAuth2AuthenticationException- if the bearer token is malformed or anReactiveAuthenticationManagercan't be derived from the issuer
-
fromTrustedIssuers(String...)