Class ServletOAuth2AuthorizedClientExchangeFilterFunction
- All Implemented Interfaces:
org.springframework.web.reactive.function.client.ExchangeFilterFunction
OAuth2AuthorizedClient
to make OAuth
2.0 requests by including the access
token
as a bearer token.
NOTE:This class is intended to be used in a Servlet
environment.
Example usage:
ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2 = new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); WebClient webClient = WebClient.builder() .apply(oauth2.oauth2Configuration()) .build(); Mono<String> response = webClient .get() .uri(uri) .attributes(oauth2AuthorizedClient(authorizedClient)) // ... .retrieve() .bodyToMono(String.class);
Authentication and Authorization Failures
Since 5.3, this filter function has the ability to forward authentication (HTTP 401
Unauthorized) and authorization (HTTP 403 Forbidden) failures from an OAuth 2.0
Resource Server to a OAuth2AuthorizationFailureHandler
. A
RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
can be used to remove
the cached OAuth2AuthorizedClient
, so that future requests will result in a new
token being retrieved from an Authorization Server, and sent to the Resource Server.
If the
ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, OAuth2AuthorizedClientRepository)
constructor is used, a RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
will be configured automatically.
If the
ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)
constructor is used, a RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
will NOT be configured automatically. It is recommended that you configure one
via setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler)
.
-
Constructor Summary
ConstructorDescriptionServletOAuth2AuthorizedClientExchangeFilterFunction
(OAuth2AuthorizedClientManager authorizedClientManager) Constructs aServletOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.ServletOAuth2AuthorizedClientExchangeFilterFunction
(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository authorizedClientRepository) Constructs aServletOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters. -
Method Summary
Modifier and TypeMethodDescriptionauthentication
(Authentication authentication) Modifies theClientRequest.attributes()
to include theAuthentication
used to look up and save theOAuth2AuthorizedClient
.clientRegistrationId
(String clientRegistrationId) Modifies theClientRequest.attributes()
to include theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.Consumer<org.springframework.web.reactive.function.client.WebClient.RequestHeadersSpec<?>>
Provides defaults for theHttpServletRequest
and theHttpServletResponse
usingRequestContextHolder
.reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse>
filter
(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next) httpServletRequest
(jakarta.servlet.http.HttpServletRequest request) Modifies theClientRequest.attributes()
to include theHttpServletRequest
used to look up and save theOAuth2AuthorizedClient
.httpServletResponse
(jakarta.servlet.http.HttpServletResponse response) Modifies theClientRequest.attributes()
to include theHttpServletResponse
used to save theOAuth2AuthorizedClient
.oauth2AuthorizedClient
(OAuth2AuthorizedClient authorizedClient) Modifies theClientRequest.attributes()
to include theOAuth2AuthorizedClient
to be used for providing the Bearer Token.Consumer<org.springframework.web.reactive.function.client.WebClient.Builder>
Configures the builder withdefaultRequest()
and adds this as aExchangeFilterFunction
void
setAuthorizationFailureHandler
(OAuth2AuthorizationFailureHandler authorizationFailureHandler) Sets theOAuth2AuthorizationFailureHandler
that handles authentication and authorization failures when communicating to the OAuth 2.0 Resource Server.void
setDefaultClientRegistrationId
(String clientRegistrationId) If set, will be used as the defaultClientRegistration.getRegistrationId()
.void
setDefaultOAuth2AuthorizedClient
(boolean defaultOAuth2AuthorizedClient) If true, a defaultOAuth2AuthorizedClient
can be discovered from the current Authentication.void
setSecurityContextHolderStrategy
(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use.Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.springframework.web.reactive.function.client.ExchangeFilterFunction
andThen, apply
-
Constructor Details
-
ServletOAuth2AuthorizedClientExchangeFilterFunction
public ServletOAuth2AuthorizedClientExchangeFilterFunction() -
ServletOAuth2AuthorizedClientExchangeFilterFunction
public ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager authorizedClientManager) Constructs aServletOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.When this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from an OAuth 2.0 Resource Server will NOT be forwarded to an
OAuth2AuthorizationFailureHandler
. Therefore, future requests to the Resource Server will most likely use the same (likely invalid) token, resulting in the same errors returned from the Resource Server. It is recommended to configure aRemoveAuthorizedClientOAuth2AuthorizationFailureHandler
viasetAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler)
so that authentication and authorization failures returned from a Resource Server will result in removing the authorized client, so that a new token is retrieved for future requests.- Parameters:
authorizedClientManager
- theOAuth2AuthorizedClientManager
which manages the authorized client(s)- Since:
- 5.2
-
ServletOAuth2AuthorizedClientExchangeFilterFunction
public ServletOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository authorizedClientRepository) Constructs aServletOAuth2AuthorizedClientExchangeFilterFunction
using the provided parameters.Since 5.3, when this constructor is used, authentication (HTTP 401) and authorization (HTTP 403) failures returned from an OAuth 2.0 Resource Server will be forwarded to a
RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
, which will potentially remove theOAuth2AuthorizedClient
from the givenOAuth2AuthorizedClientRepository
, depending on the OAuth 2.0 error code returned. Authentication failures returned from an OAuth 2.0 Resource Server typically indicate that the token is invalid, and should not be used in future requests. Removing the authorized client from the repository will ensure that the existing token will not be sent for future requests to the Resource Server, and a new token is retrieved from the Authorization Server and used for future requests to the Resource Server.- Parameters:
clientRegistrationRepository
- the repository of client registrationsauthorizedClientRepository
- the repository of authorized clients
-
-
Method Details
-
setDefaultOAuth2AuthorizedClient
public void setDefaultOAuth2AuthorizedClient(boolean defaultOAuth2AuthorizedClient) If true, a defaultOAuth2AuthorizedClient
can be discovered from the current Authentication. It is recommended to be cautious with this feature since all HTTP requests will receive the access token if it can be resolved from the current Authentication.- Parameters:
defaultOAuth2AuthorizedClient
- true if a defaultOAuth2AuthorizedClient
should be used, else false. Default is false.
-
setDefaultClientRegistrationId
If set, will be used as the defaultClientRegistration.getRegistrationId()
. It is recommended to be cautious with this feature since all HTTP requests will receive the access token.- Parameters:
clientRegistrationId
- the id to use
-
setSecurityContextHolderStrategy
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) Sets theSecurityContextHolderStrategy
to use. The default action is to use theSecurityContextHolderStrategy
stored inSecurityContextHolder
.- Since:
- 5.8
-
oauth2Configuration
public Consumer<org.springframework.web.reactive.function.client.WebClient.Builder> oauth2Configuration()Configures the builder withdefaultRequest()
and adds this as aExchangeFilterFunction
- Returns:
- the
Consumer
to configure the builder
-
defaultRequest
public Consumer<org.springframework.web.reactive.function.client.WebClient.RequestHeadersSpec<?>> defaultRequest()Provides defaults for theHttpServletRequest
and theHttpServletResponse
usingRequestContextHolder
. It also provides defaults for theAuthentication
usingSecurityContextHolder
. It also can default theOAuth2AuthorizedClient
using theclientRegistrationId(String)
or theauthentication(Authentication)
.- Returns:
- the
Consumer
to populate the attributes
-
oauth2AuthorizedClient
public static Consumer<Map<String,Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient authorizedClient) Modifies theClientRequest.attributes()
to include theOAuth2AuthorizedClient
to be used for providing the Bearer Token.- Parameters:
authorizedClient
- theOAuth2AuthorizedClient
to use.- Returns:
- the
Consumer
to populate the attributes
-
clientRegistrationId
Modifies theClientRequest.attributes()
to include theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.- Parameters:
clientRegistrationId
- theClientRegistration.getRegistrationId()
to be used to look up theOAuth2AuthorizedClient
.- Returns:
- the
Consumer
to populate the attributes
-
authentication
Modifies theClientRequest.attributes()
to include theAuthentication
used to look up and save theOAuth2AuthorizedClient
. The value is defaulted indefaultRequest()
- Parameters:
authentication
- theAuthentication
to use.- Returns:
- the
Consumer
to populate the attributes
-
httpServletRequest
public static Consumer<Map<String,Object>> httpServletRequest(jakarta.servlet.http.HttpServletRequest request) Modifies theClientRequest.attributes()
to include theHttpServletRequest
used to look up and save theOAuth2AuthorizedClient
. The value is defaulted indefaultRequest()
- Parameters:
request
- theHttpServletRequest
to use.- Returns:
- the
Consumer
to populate the attributes
-
httpServletResponse
public static Consumer<Map<String,Object>> httpServletResponse(jakarta.servlet.http.HttpServletResponse response) Modifies theClientRequest.attributes()
to include theHttpServletResponse
used to save theOAuth2AuthorizedClient
. The value is defaulted indefaultRequest()
- Parameters:
response
- theHttpServletResponse
to use.- Returns:
- the
Consumer
to populate the attributes
-
setAuthorizationFailureHandler
public void setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler authorizationFailureHandler) Sets theOAuth2AuthorizationFailureHandler
that handles authentication and authorization failures when communicating to the OAuth 2.0 Resource Server.For example, a
RemoveAuthorizedClientOAuth2AuthorizationFailureHandler
is typically used to remove the cachedOAuth2AuthorizedClient
, so that the same token is no longer used in future requests to the Resource Server.The failure handler used by default depends on which constructor was used to construct this
ServletOAuth2AuthorizedClientExchangeFilterFunction
. See the constructors for more details.- Parameters:
authorizationFailureHandler
- theOAuth2AuthorizationFailureHandler
that handles authentication and authorization failures- Since:
- 5.3
-
filter
public reactor.core.publisher.Mono<org.springframework.web.reactive.function.client.ClientResponse> filter(org.springframework.web.reactive.function.client.ClientRequest request, org.springframework.web.reactive.function.client.ExchangeFunction next) - Specified by:
filter
in interfaceorg.springframework.web.reactive.function.client.ExchangeFilterFunction
-