Package org.springframework.vault.authentication

Class ReactiveLifecycleAwareSessionManager

java.lang.Object

org.springframework.vault.authentication.AuthenticationEventPublisher

org.springframework.vault.authentication.LifecycleAwareSessionManagerSupport

org.springframework.vault.authentication.ReactiveLifecycleAwareSessionManager

All Implemented Interfaces:

DisposableBean, AuthenticationEventMulticaster, ReactiveSessionManager, VaultTokenSupplier

public class ReactiveLifecycleAwareSessionManager
extends LifecycleAwareSessionManagerSupport
implements ReactiveSessionManager, DisposableBean

Reactive implementation of Lifecycle-aware session manager. This ReactiveSessionManager obtains tokens from an authentication method upon request guaranteeing a token to be obtained only once if multiple threads attempt to obtain a token concurrently.

Tokens are renewed asynchronously if a token has a lease duration. This happens 5 seconds before the token expires, see LifecycleAwareSessionManagerSupport.REFRESH_PERIOD_BEFORE_EXPIRY.

This ReactiveSessionManager also implements DisposableBean to revoke the LoginToken once it's not required anymore. Token revocation will stop regular token refresh. Tokens are only revoked if the associated VaultTokenSupplier returns a service token.

If Token renewal runs into a client-side error, it assumes the token was revoked/expired. It discards the token state so the next attempt will lead to another login attempt.

By default, VaultToken are looked up in Vault to determine renewability, remaining TTL, accessor and type, see LifecycleAwareSessionManagerSupport.setTokenSelfLookupEnabled(boolean).

The session manager dispatches authentication events to AuthenticationListener and AuthenticationErrorListener.

This class is thread-safe and uses lock-free synchronization.

Since:

2.0

Author:

Mark Paluch

See Also:

• LoginToken
• ReactiveSessionManager
• TaskScheduler
• AuthenticationEventPublisher

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static class	ReactiveLifecycleAwareSessionManager.TokenWrapper	Wraps a VaultToken and specifies whether the token is revocable on factory shutdown.

Nested classes/interfaces inherited from class org.springframework.vault.authentication.LifecycleAwareSessionManagerSupport

LifecycleAwareSessionManagerSupport.FixedTimeoutRefreshTrigger, LifecycleAwareSessionManagerSupport.OneShotTrigger, LifecycleAwareSessionManagerSupport.RefreshTrigger

Field Summary

Fields inherited from class org.springframework.vault.authentication.LifecycleAwareSessionManagerSupport

logger, REFRESH_PERIOD_BEFORE_EXPIRY

Constructor Summary

Constructors

Constructor	Description
ReactiveLifecycleAwareSessionManager(VaultTokenSupplier clientAuthentication, TaskScheduler taskScheduler, WebClient webClient)	Create a ReactiveLifecycleAwareSessionManager given ClientAuthentication, TaskScheduler and WebClient.
ReactiveLifecycleAwareSessionManager(VaultTokenSupplier clientAuthentication, TaskScheduler taskScheduler, WebClient webClient, LifecycleAwareSessionManagerSupport.RefreshTrigger refreshTrigger)	Create a ReactiveLifecycleAwareSessionManager given VaultTokenSupplier, TaskScheduler and WebClient.

Method Summary

Modifier and Type	Method	Description
void	destroy()
protected Mono<Void>	doRevoke(Mono<ReactiveLifecycleAwareSessionManager.TokenWrapper> tokenMono)
Mono<VaultToken>	getVaultToken()	Return a VaultToken.
protected boolean	isTokenRenewable(VaultToken token)
Mono<VaultToken>	renewToken()	Performs a token refresh.
Mono<Void>	revoke()	Revoke and drop the current VaultToken.
protected Mono<Void>	revoke(VaultToken token)	Revoke a VaultToken.
void	revokeNow()	Revoke and drop the current VaultToken now.
protected void	revokeNow(Mono<ReactiveLifecycleAwareSessionManager.TokenWrapper> tokenMono)	Revoke a VaultToken now and block execution until revocation completes.

Methods inherited from class org.springframework.vault.authentication.LifecycleAwareSessionManagerSupport

getRefreshTrigger, getTaskScheduler, isExpired, isTokenSelfLookupEnabled, setLeaseStrategy, setTokenSelfLookupEnabled

Methods inherited from class org.springframework.vault.authentication.AuthenticationEventPublisher

addAuthenticationListener, addErrorListener, multicastEvent, multicastEvent, removeAuthenticationListener, removeErrorListener

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.vault.authentication.ReactiveSessionManager

getSessionToken

Constructor Details

ReactiveLifecycleAwareSessionManager

public ReactiveLifecycleAwareSessionManager(VaultTokenSupplier clientAuthentication,
 TaskScheduler taskScheduler,
 WebClient webClient)

Create a ReactiveLifecycleAwareSessionManager given ClientAuthentication, TaskScheduler and WebClient.

Parameters:

clientAuthentication - must not be null.

taskScheduler - must not be null.

webClient - must not be null.

ReactiveLifecycleAwareSessionManager

public ReactiveLifecycleAwareSessionManager(VaultTokenSupplier clientAuthentication,
 TaskScheduler taskScheduler,
 WebClient webClient,
 LifecycleAwareSessionManagerSupport.RefreshTrigger refreshTrigger)

Create a ReactiveLifecycleAwareSessionManager given VaultTokenSupplier, TaskScheduler and WebClient.

Parameters:

clientAuthentication - must not be null.

taskScheduler - must not be null.

webClient - must not be null.

refreshTrigger - must not be null.

Method Details

destroy

public void destroy()

Specified by:

destroy in interface DisposableBean

revoke

public Mono<Void> revoke()

Revoke and drop the current VaultToken.

Returns:

a mono emitting completion upon successful revocation.

Since:

3.0.2

revokeNow

public void revokeNow()

Revoke and drop the current VaultToken now.

Since:

3.0.2

revokeNow

protected void revokeNow(Mono<ReactiveLifecycleAwareSessionManager.TokenWrapper> tokenMono)

Revoke a VaultToken now and block execution until revocation completes.

Parameters:

tokenMono -

doRevoke

protected Mono<Void> doRevoke(Mono<ReactiveLifecycleAwareSessionManager.TokenWrapper> tokenMono)

revoke

protected Mono<Void> revoke(VaultToken token)

Revoke a VaultToken.

Parameters:

token - the token to revoke, must not be null.

renewToken

public Mono<VaultToken> renewToken()

Performs a token refresh. Creates a new token if no token was obtained before. If a token was obtained before, it uses self-renewal to renew the current token. Client-side errors (like permission denied) indicate the token cannot be renewed because it's expired or simply not found.

Returns:

the VaultToken if the refresh was successful or a new token was obtained. Mono.empty() if a new the token expired or Mono.error(Throwable) if refresh failed.

getVaultToken

public Mono<VaultToken> getVaultToken()
                               throws VaultException

Description copied from interface: VaultTokenSupplier

Return a VaultToken. This can declare a Vault login flow to obtain a token.

Specified by:

getVaultToken in interface VaultTokenSupplier

Returns:

a Mono with the VaultToken.

Throws:

VaultException

isTokenRenewable

protected boolean isTokenRenewable(VaultToken token)

Returns:

true if the token is renewable.