Class ReactiveLifecycleAwareSessionManager
- All Implemented Interfaces:
DisposableBean
,ReactiveSessionManager
,VaultTokenSupplier
session
manager
. This ReactiveSessionManager
obtains tokens from an
authentication method
upon request
guaranteeing a token to be obtained only once if multiple threads attempt to
obtain a token concurrently.
Tokens are renewed asynchronously if a token has a lease duration. This happens 5
seconds before the token expires, see LifecycleAwareSessionManagerSupport.REFRESH_PERIOD_BEFORE_EXPIRY
.
This ReactiveSessionManager
also implements DisposableBean
to revoke
the LoginToken
once it's not required anymore. Token revocation will stop
regular token refresh. Tokens are only revoked if the associated
VaultTokenSupplier
returns a service token
.
If Token renewal runs into a client-side error, it assumes the token was revoked/expired. It discards the token state so the next attempt will lead to another login attempt.
By default, VaultToken
are looked up in Vault to determine renewability,
remaining TTL, accessor and type, see LifecycleAwareSessionManagerSupport.setTokenSelfLookupEnabled(boolean)
.
The session manager dispatches authentication events to AuthenticationListener
and AuthenticationErrorListener
.
This class is thread-safe and uses lock-free synchronization.
- Since:
- 2.0
- Author:
- Mark Paluch
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionprotected static class
Wraps aVaultToken
and specifies whether the token is revocable on factory shutdown.Nested classes/interfaces inherited from class org.springframework.vault.authentication.LifecycleAwareSessionManagerSupport
LifecycleAwareSessionManagerSupport.FixedTimeoutRefreshTrigger, LifecycleAwareSessionManagerSupport.OneShotTrigger, LifecycleAwareSessionManagerSupport.RefreshTrigger
-
Field Summary
Fields inherited from class org.springframework.vault.authentication.LifecycleAwareSessionManagerSupport
logger, REFRESH_PERIOD_BEFORE_EXPIRY
-
Constructor Summary
ConstructorDescriptionReactiveLifecycleAwareSessionManager
(VaultTokenSupplier clientAuthentication, TaskScheduler taskScheduler, WebClient webClient) Create aReactiveLifecycleAwareSessionManager
givenClientAuthentication
,TaskScheduler
andWebClient
.ReactiveLifecycleAwareSessionManager
(VaultTokenSupplier clientAuthentication, TaskScheduler taskScheduler, WebClient webClient, LifecycleAwareSessionManagerSupport.RefreshTrigger refreshTrigger) Create aReactiveLifecycleAwareSessionManager
givenVaultTokenSupplier
,TaskScheduler
andWebClient
. -
Method Summary
Modifier and TypeMethodDescriptionvoid
destroy()
Return aVaultToken
.protected boolean
isTokenRenewable
(VaultToken token) Performs a token refresh.revoke()
Revoke and drop the currentVaultToken
.revoke
(VaultToken token) Revoke aVaultToken
.void
Revoke and drop the currentVaultToken
now.protected void
Revoke aVaultToken
now and block execution until revocation completes.Methods inherited from class org.springframework.vault.authentication.LifecycleAwareSessionManagerSupport
getRefreshTrigger, getTaskScheduler, isExpired, isTokenSelfLookupEnabled, setLeaseStrategy, setTokenSelfLookupEnabled
Methods inherited from class org.springframework.vault.authentication.AuthenticationEventPublisher
addAuthenticationListener, addErrorListener, removeAuthenticationListener, removeErrorListener
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.springframework.vault.authentication.ReactiveSessionManager
getSessionToken
-
Constructor Details
-
ReactiveLifecycleAwareSessionManager
public ReactiveLifecycleAwareSessionManager(VaultTokenSupplier clientAuthentication, TaskScheduler taskScheduler, WebClient webClient) Create aReactiveLifecycleAwareSessionManager
givenClientAuthentication
,TaskScheduler
andWebClient
.- Parameters:
clientAuthentication
- must not be null.taskScheduler
- must not be null.webClient
- must not be null.
-
ReactiveLifecycleAwareSessionManager
public ReactiveLifecycleAwareSessionManager(VaultTokenSupplier clientAuthentication, TaskScheduler taskScheduler, WebClient webClient, LifecycleAwareSessionManagerSupport.RefreshTrigger refreshTrigger) Create aReactiveLifecycleAwareSessionManager
givenVaultTokenSupplier
,TaskScheduler
andWebClient
.- Parameters:
clientAuthentication
- must not be null.taskScheduler
- must not be null.webClient
- must not be null.refreshTrigger
- must not be null.
-
-
Method Details
-
destroy
public void destroy()- Specified by:
destroy
in interfaceDisposableBean
-
revoke
Revoke and drop the currentVaultToken
.- Returns:
- a mono emitting completion upon successful revocation.
- Since:
- 3.0.2
-
revokeNow
public void revokeNow()Revoke and drop the currentVaultToken
now.- Since:
- 3.0.2
-
revokeNow
Revoke aVaultToken
now and block execution until revocation completes.- Parameters:
tokenMono
-
-
doRevoke
-
revoke
Revoke aVaultToken
.- Parameters:
token
- the token to revoke, must not be null.
-
renewToken
Performs a token refresh. Creates a new token if no token was obtained before. If a token was obtained before, it uses self-renewal to renew the current token. Client-side errors (like permission denied) indicate the token cannot be renewed because it's expired or simply not found.- Returns:
- the
VaultToken
if the refresh was successful or a new token was obtained.Mono.empty()
if a new the token expired orMono.error(Throwable)
if refresh failed.
-
getVaultToken
Description copied from interface:VaultTokenSupplier
Return aVaultToken
. This can declare a Vault login flow to obtain atoken
.- Specified by:
getVaultToken
in interfaceVaultTokenSupplier
- Returns:
- a
Mono
with theVaultToken
. - Throws:
VaultException
-
isTokenRenewable
- Returns:
- true if the token is renewable.
-