Description
Summary
Spring Servlet MVC supports returning Reactive types from annotated controllers. For webflux applications, the reactive filter ReactorContextWebFilter loads security contexts into the Reactive context using ReactiveSecurityContextHolder. For Servlet applications, there is no such support. It would be nice if the reactive code in the controller could access the security context in the same way for both web stacks without modification to the controller code.
A workaround that doesn't involve changing controller code is to override the ResponseBodyEmitterReturnValueHandler instance in the RequestMappingHandlerAdapter and simply chain the context onto the reactive return value. Unfortunately this gets a bit messy as the class hasn't been written in a way conducive to customization. And regardless it would be nice if this worked out-of-the-box.
Actual Behavior
The Security context is correctly set and retrievable using normal Servlet MVC methods, but the reactive context is empty.
Expected Behavior
Accessing the security context to work regardless of stack type. e.g.
@RequestMapping
public Mono< String > sayHello( )
{
return ReactiveSecurityContextHolder.getContext( ).map( c -> "Hello " + c.getAuthentication( ).getPrincipal( ).toString( ) );
}should work identically for both webflux and sevlet mvc.
Configuration
Any Spring Servlet webapp using security.
Version
5.0