Spring Security 5 The Reactive Bits

Spring Security 5 - The Reactive Bits

Rob Winch github: rwinch

What pieces of Auth are blocking? LDAP calls? Password validation? - Yes

Spring Secutiry will add a default logout page now It will also do content negoation - so in the browser it will send you to a login page, but an ajax request would get a 401.

If you have reactive model attributes, you have to resolve them before the View is resolved cause the View can't resolve them. He has an example with CSRF tokens with a ControllerAdvice.

The default password encoder used to be a NoOpPasswordEncoder. Ya, that's bad...so now you have to provide one. The StandardPasswordEncoder is depicrated... PasswordEncoderFactories.createDelegatingPasswordEncoder DelegatingPasswordEncoder - adds a qualifier to the beginning of the password so the passwordencoder (and you) know what was used to encode the password. This would let you handle upgrades of password encoders and the ability to know who needs their password upgraded.

@EnableWebFluxSecurityConfiguration

@AuthenticatedUser

.subscriptOn(Schedulers.parallel()).doOnNext(...) - If you are bound by CPU for instance when encoding a password.

@EnableReactiveMethodSecurity - so you can do things like @PostAuthorize("returnObject?.to?.id == principal?.id)

Preauth Filters would be different in reactive vs non-reactive spring security. @AuthenticationWebFilter. If you are sticking with a non-reactive, all the old filters still work.

AuthorizationContext - has access to request variables, etc.

Testing

How do we auth our tests? @WithMockUser but that isn't your custom user object. You can make custom annotations to work with the test suite WithMockCustomUser and WithMockCustomUserFactoryand even Persona's like WithRob.