Class ServletOAuth2AuthorizedClientExchangeFilterFunction
- java.lang.Object
-
- org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction
-
- All Implemented Interfaces:
org.springframework.web.reactive.function.client.ExchangeFilterFunction
public final class ServletOAuth2AuthorizedClientExchangeFilterFunction extends java.lang.Object implements org.springframework.web.reactive.function.client.ExchangeFilterFunction
Provides an easy mechanism for using anOAuth2AuthorizedClient
to make OAuth 2.0 requests by including theaccess token
as a bearer token.NOTE:This class is intended to be used in a
Servlet
environment.Example usage:
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2 = new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); WebClient webClient = WebClient.builder() .apply(oauth2.oauth2Configuration()) .build(); Mono<String> response = webClient .get() .uri(uri) .attributes(oauth2AuthorizedClient(authorizedClient)) // ... .retrieve() .bodyToMono(String.class);
Authentication and Authorization Failures
Since 5.3, this filter function has the ability to forward authentication (HTTP 401 Unauthorized) and authorization (HTTP 403 Forbidden) failures from an OAuth 2.0 Resource Server to a
OAuth2AuthorizationFailureHandler
. ARemoveAuthorizedClientOAuth2AuthorizationFailureHandler
can be used to remove the cachedOAuth2AuthorizedClient
, so that future requests will result in a new token being retrieved from an Authorization Server, and sent to the Resource Server.If the
ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, OAuth2AuthorizedClientRepository)
constructor is used, aRemoveAuthorizedClientOAuth2AuthorizationFailureHandler
will be configured automatically.If the
ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)
constructor is used, aRemoveAuthorizedClientOAuth2AuthorizationFailureHandler
will NOT be configured automatically. It is recommended that you configure one viasetAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler)
.
-
-
Constructor Summary
Constructors Constructor Description ServletOAuth2AuthorizedClientExchangeFilterFunction()
ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager authorizedClientManager)
Constructs aServletOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository authorizedClientRepository)
Constructs aServletOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>
authentication(Authentication authentication)
Modifies theClientRequest.attributes()
to include theAuthentication
used to look up and save theOAuth2AuthorizedClient
.static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>
clientRegistrationId(java.lang.String clientRegistrationId)
Modifies theClientRequest.attributes()
to include theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.java.util.function.Consumer<org.springframework.web.reactive.function.client.WebClient.RequestHeadersSpec<?>>
defaultRequest()
Provides defaults for theHttpServletRequest
and theHttpServletResponse
usingRequestContextHolder
.reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse>
filter(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next)
static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>
httpServletRequest(javax.servlet.http.HttpServletRequest request)
Modifies theClientRequest.attributes()
to include theHttpServletRequest
used to look up and save theOAuth2AuthorizedClient
.static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>
httpServletResponse(javax.servlet.http.HttpServletResponse response)
Modifies theClientRequest.attributes()
to include theHttpServletResponse
used to save theOAuth2AuthorizedClient
.static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>>
oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)
Modifies theClientRequest.attributes()
to include theOAuth2AuthorizedClient
to be used for providing the Bearer Token.java.util.function.Consumer<org.springframework.web.reactive.function.client.WebClient.Builder>
oauth2Configuration()
Configures the builder withdefaultRequest()
and adds this as aExchangeFilterFunction
void
setAccessTokenExpiresSkew(java.time.Duration accessTokenExpiresSkew)
Deprecated.TheaccessTokenExpiresSkew
should be configured with the specificOAuth2AuthorizedClientProvider
implementation, e.g.void
setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler authorizationFailureHandler)
Sets theOAuth2AuthorizationFailureHandler
that handles authentication and authorization failures when communicating to the OAuth 2.0 Resource Server.void
setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient)
Deprecated.void
setDefaultClientRegistrationId(java.lang.String clientRegistrationId)
If set, will be used as the defaultClientRegistration.getRegistrationId()
.void
setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)
If true, a defaultOAuth2AuthorizedClient
can be discovered from the current Authentication.
-
-
-
Constructor Detail
-
ServletOAuth2AuthorizedClientExchangeFilterFunction
public ServletOAuth2AuthorizedClientExchangeFilterFunction()
-
ServletOAuth2AuthorizedClientExchangeFilterFunction
public ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager authorizedClientManager)
Constructs aServletOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.When this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from an OAuth 2.0 Resource Server will NOT be forwarded to an
OAuth2AuthorizationFailureHandler
. Therefore, future requests to the Resource Server will most likely use the same (likely invalid) token, resulting in the same errors returned from the Resource Server. It is recommended to configure aRemoveAuthorizedClientOAuth2AuthorizationFailureHandler
viasetAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler)
so that authentication and authorization failures returned from a Resource Server will result in removing the authorized client, so that a new token is retrieved for future requests.- Parameters:
authorizedClientManager
- theOAuth2AuthorizedClientManager
which manages the authorized client(s)- Since:
- 5.2
-
ServletOAuth2AuthorizedClientExchangeFilterFunction
public ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository authorizedClientRepository)
Constructs aServletOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.Since 5.3, when this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from an OAuth 2.0 Resource Server will be forwarded to a
RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
, which will potentially remove theOAuth2AuthorizedClient
from the givenOAuth2AuthorizedClientRepository
, depending on the OAuth 2.0 error code returned. Authentication failures returned from an OAuth 2.0 Resource Server typically indicate that the token is invalid, and should not be used in future requests. Removing the authorized client from the repository will ensure that the existing token will not be sent for future requests to the Resource Server, and a new token is retrieved from the Authorization Server and used for future requests to the Resource Server.- Parameters:
clientRegistrationRepository
- the repository of client registrationsauthorizedClientRepository
- the repository of authorized clients
-
-
Method Detail
-
setClientCredentialsTokenResponseClient
@Deprecated public void setClientCredentialsTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient)
Deprecated.UseServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)
instead. Create an instance ofClientCredentialsOAuth2AuthorizedClientProvider
configured with aDefaultClientCredentialsTokenResponseClient
(or a custom one) and than supply it toDefaultOAuth2AuthorizedClientManager
.Sets theOAuth2AccessTokenResponseClient
used for getting anOAuth2AuthorizedClient
for the client_credentials grant.- Parameters:
clientCredentialsTokenResponseClient
- the client to use
-
setDefaultOAuth2AuthorizedClient
public void setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient)
If true, a defaultOAuth2AuthorizedClient
can be discovered from the current Authentication. It is recommended to be cautious with this feature since all HTTP requests will receive the access token if it can be resolved from the current Authentication.- Parameters:
defaultOAuth2AuthorizedClient
- true if a defaultOAuth2AuthorizedClient
should be used, else false. Default is false.
-
setDefaultClientRegistrationId
public void setDefaultClientRegistrationId(java.lang.String clientRegistrationId)
If set, will be used as the defaultClientRegistration.getRegistrationId()
. It is recommended to be cautious with this feature since all HTTP requests will receive the access token.- Parameters:
clientRegistrationId
- the id to use
-
oauth2Configuration
public java.util.function.Consumer<org.springframework.web.reactive.function.client.WebClient.Builder> oauth2Configuration()
Configures the builder withdefaultRequest()
and adds this as aExchangeFilterFunction
- Returns:
- the
Consumer
to configure the builder
-
defaultRequest
public java.util.function.Consumer<org.springframework.web.reactive.function.client.WebClient.RequestHeadersSpec<?>> defaultRequest()
Provides defaults for theHttpServletRequest
and theHttpServletResponse
usingRequestContextHolder
. It also provides defaults for theAuthentication
usingSecurityContextHolder
. It also can default theOAuth2AuthorizedClient
using theclientRegistrationId(String)
or theauthentication(Authentication)
.- Returns:
- the
Consumer
to populate the attributes
-
oauth2AuthorizedClient
public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient)
Modifies theClientRequest.attributes()
to include theOAuth2AuthorizedClient
to be used for providing the Bearer Token.- Parameters:
authorizedClient
- theOAuth2AuthorizedClient
to use.- Returns:
- the
Consumer
to populate the attributes
-
clientRegistrationId
public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> clientRegistrationId(java.lang.String clientRegistrationId)
Modifies theClientRequest.attributes()
to include theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.- Parameters:
clientRegistrationId
- theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.- Returns:
- the
Consumer
to populate the attributes
-
authentication
public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> authentication(Authentication authentication)
Modifies theClientRequest.attributes()
to include theAuthentication
used to look up and save theOAuth2AuthorizedClient
. The value is defaulted indefaultRequest()
- Parameters:
authentication
- theAuthentication
to use.- Returns:
- the
Consumer
to populate the attributes
-
httpServletRequest
public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> httpServletRequest(javax.servlet.http.HttpServletRequest request)
Modifies theClientRequest.attributes()
to include theHttpServletRequest
used to look up and save theOAuth2AuthorizedClient
. The value is defaulted indefaultRequest()
- Parameters:
request
- theHttpServletRequest
to use.- Returns:
- the
Consumer
to populate the attributes
-
httpServletResponse
public static java.util.function.Consumer<java.util.Map<java.lang.String,java.lang.Object>> httpServletResponse(javax.servlet.http.HttpServletResponse response)
Modifies theClientRequest.attributes()
to include theHttpServletResponse
used to save theOAuth2AuthorizedClient
. The value is defaulted indefaultRequest()
- Parameters:
response
- theHttpServletResponse
to use.- Returns:
- the
Consumer
to populate the attributes
-
setAccessTokenExpiresSkew
@Deprecated public void setAccessTokenExpiresSkew(java.time.Duration accessTokenExpiresSkew)
Deprecated.TheaccessTokenExpiresSkew
should be configured with the specificOAuth2AuthorizedClientProvider
implementation, e.g.ClientCredentialsOAuth2AuthorizedClientProvider
orRefreshTokenOAuth2AuthorizedClientProvider
.An access token will be considered expired by comparing its expiration to now + this skewed Duration. The default is 1 minute.- Parameters:
accessTokenExpiresSkew
- the Duration to use.
-
setAuthorizationFailureHandler
public void setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler authorizationFailureHandler)
Sets theOAuth2AuthorizationFailureHandler
that handles authentication and authorization failures when communicating to the OAuth 2.0 Resource Server.For example, a
RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
is typically used to remove the cachedOAuth2AuthorizedClient
, so that the same token is no longer used in future requests to the Resource Server.The failure handler used by default depends on which constructor was used to construct this
ServletOAuth2AuthorizedClientExchangeFilterFunction
. See the constructors for more details.- Parameters:
authorizationFailureHandler
- theOAuth2AuthorizationFailureHandler
that handles authentication and authorization failures- Since:
- 5.3
-
filter
public reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> filter(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next)
- Specified by:
filter
in interfaceorg.springframework.web.reactive.function.client.ExchangeFilterFunction
-
-