此版本仍在开发中,尚未被视为稳定版本。如需最新稳定版本,请使用 Spring Security 7.0.4spring-doc.cadn.net.cn

Reactive X.509 认证

类似于Servlet X.509 认证,响应式X.509认证过滤器允许从客户端提供的证书中提取一个认证Tokens。spring-doc.cadn.net.cn

以下示例展示了一个响应式的 x509 安全配置:spring-doc.cadn.net.cn

@Bean
SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
	http
		.x509(Customizer.withDefaults())
		.authorizeExchange((authorize) -> authorize
			.anyExchange().authenticated()
		);
	return http.build();
}
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        x509 { }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}

在上述配置中,当未提供 principalExtractorauthenticationManager 时,将使用默认值。 默认的主体提取器是 SubjectX500PrincipalExtractor,它从客户端提供的证书中提取 CN(通用名称)字段。 默认的身份验证管理器是 ReactivePreAuthenticatedAuthenticationManager,它执行用户账户验证,检查是否存在由 principalExtractor 提取的用户名对应的账户,并且该账户未被锁定、禁用或过期。spring-doc.cadn.net.cn

以下示例演示了如何覆盖这些默认值:spring-doc.cadn.net.cn

@Bean
SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
	SubjectX500PrincipalExtractor principalExtractor = new SubjectX500PrincipalExtractor();
	principalExtractor.setExtractPrincipalNameFromEmail(true);

	UserDetails user = User
		.withUsername("luke@monkeymachine")
		.password("password")
		.roles("USER")
		.build();

	ReactiveUserDetailsService users = new MapReactiveUserDetailsService(user);
	ReactiveAuthenticationManager authenticationManager = new ReactivePreAuthenticatedAuthenticationManager(users);

	http
		.x509((x509) -> x509
			.principalExtractor(principalExtractor)
			.authenticationManager(authenticationManager)
		)
		.authorizeExchange((authorize) -> authorize
			.anyExchange().authenticated()
		);
	return http.build();
}
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    val extractor = SubjectX500PrincipalExtractor()
    extractor.setExtractPrincipalNameFromEmail(true)

    val user = User
        .withUsername("luke@monkeymachine")
        .password("password")
        .roles("USER")
        .build()

    val users: ReactiveUserDetailsService = MapReactiveUserDetailsService(user)
    val authentication: ReactiveAuthenticationManager = ReactivePreAuthenticatedAuthenticationManager(users)

    return http {
        x509 {
            principalExtractor = extractor
            authenticationManager = authentication
        }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}

在上一个示例中,用户名是从客户端证书的 emailAddress 字段中提取的,而不是从 CN(通用名称)中提取,并且账户查找使用了一个自定义的 ReactiveAuthenticationManager 实例。spring-doc.cadn.net.cn

有关如何配置 Netty 以及 WebClientcurl 命令行工具以使用双向 TLS 并启用 X.509 认证的示例,请参见 github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509spring-doc.cadn.net.cn