问 弹簧反应安全性: ServerAuthenticationConverter和ReactiveAuthenticationManager代表什么？

EN

我不太明白 ServerAuthenticationConverter 和 ReactiveAuthenticationManager 是什么

ServerAuthenticationConverter Spring启动代码是：

@FunctionalInterface
public interface ServerAuthenticationConverter {
     * Converts a {@link ServerWebExchange} to an {@link Authentication}
     * @param exchange The {@link ServerWebExchange}
     * @return A {@link Mono} representing an {@link Authentication}
    Mono<Authentication> convert(ServerWebExchange exchange);
}

和 ReactiveAuthenticationManager

@FunctionalInterface
public interface ReactiveAuthenticationManager {
     * Attempts to authenticate the provided {@link Authentication}
     * @param authentication the {@link Authentication} to test
     * @return if authentication is successful an {@link Authentication} is returned. If
     * authentication cannot be determined, an empty Mono is returned. If authentication
     * fails, a Mono error is returned.
    Mono<Authentication> authenticate(Authentication authentication);
}

两者都有一个返回 Mono<Authentication> 的方法。

他们代表什么？

目前，我的实现是：

@Component
public class GitJwtServerAuthenticationConverter implements ServerAuthenticationConverter {
    @Override
    public Mono<Authentication> convert(ServerWebExchange exchange) {
        return Mono.justOrEmpty(exchange)
            .flatMap((it) -> Mono.justOrEmpty(it.getRequest().getHeaders()))
            .map((headers) -> headers.get(HttpHeaders.AUTHORIZATION))
            .map((header) -> new GitBearerTokenAuthenticationToken(header.get(0)));
}

并真正直截了当地实施：

public class GitJwtReactiveAuthenticationManager implements ReactiveAuthenticationManager {
    @Override
    public Mono<Authentication> authenticate(Authentication authentication) {
        return Mono.justOrEmpty(authentication);
}

我的安全实现是：

@Configuration
@EnableWebFluxSecurity
public class SecurityConfiguration {
    @Bean
    ReactiveAuthenticationManager reactiveAuthenticationManager() {
        return new GitJwtReactiveAuthenticationManager();
    @Bean
    AuthenticationWebFilter authenticationWebFilter(
        ReactiveAuthenticationManager reactiveAuthenticationManager,
        ServerAuthenticationConverter serverAuthenticationConverter
        AuthenticationWebFilter authenticationWebFilter = new AuthenticationWebFilter(reactiveAuthenticationManager);
        authenticationWebFilter.setServerAuthenticationConverter(serverAuthenticationConverter);
        return authenticationWebFilter;
    @Bean
    SecurityWebFilterChain springSecurityFilterChain(
        ServerHttpSecurity http,
        AuthenticationWebFilter authenticationWebFilter
        return http
            .httpBasic(HttpBasicSpec::disable)
            .csrf(CsrfSpec::disable)
            .formLogin(FormLoginSpec::disable)
            .anonymous(AnonymousSpec::disable)
            .logout(LogoutSpec::disable)
            .authorizeExchange((authorize) -> authorize
                .pathMatchers("/actuator/**").permitAll()
                .pathMatchers("/login/**").permitAll()
                .anyExchange().authenticated()
            .addFilterAt(authenticationWebFilter, SecurityWebFiltersOrder.AUTHENTICATION)
            // .oauth2ResourceServer((resourceServer) -> resourceServer.jwt(withDefaults()))
            .build();
}

我已经测试过了，我得到了一个 403 forbidden

~ ❯ curl -i -X POST localhost:8080/me -H "Authorization: $JWT_TOKEN" -H "GICAR_ID: foo"
HTTP/1.1 403 Forbidden
Content-Type: text/plain
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1 ; mode=block
Referrer-Policy: no-referrer