I would like to understand the following code snippet:

@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
    val customPrincipalExtractor = SubjectDnX509PrincipalExtractor()
    customPrincipalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)")
    val customAuthenticationManager = ReactiveAuthenticationManager { authentication: Authentication ->
        authentication.isAuthenticated = "Trusted Org Unit" == authentication.name
        Mono.just(authentication)
    }
    return http {
        x509 {
            principalExtractor = customPrincipalExtractor
            authenticationManager = customAuthenticationManager
        }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}

from https://docs.spring.io/spring-security/reference/5.6.1/reactive/authentication/x509.html.

My question is what does this block mean?

http {
    x509 {
        principalExtractor = customPrincipalExtractor
        authenticationManager = customAuthenticationManager
    }
    authorizeExchange {
        authorize(anyExchange, authenticated)
    }
}

How it works?

CodePudding user response：

The code you are asking about configures spring security. You have a ServerHttpSecurity object named http and you are setting configuration on it.

its equal in regular java would be something like:

http
    .x509()
        .principalExtractor(customPrincipalExtractor)
        .authenticationManager(customAuthenticationManager)
    .authorizeExchange()
        .anyExchange()
        .authenticated();

First three lines are saying that we are going to be using x509 certificates, we have a custom principal extractor that we defined a couple of rows up which is a SubjectDnX509PrincipalExtractor https://docs.spring.io/spring-security/site/docs/3.2.8.RELEASE/apidocs/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractor.html that needs to be used when we extract information from the certificate and build our principal object (all users after they are authenticate have a principal that contains who they are, etc.)

That particular extractor uses a regexp to extract the subjectdefined in the certificate.

the row after that we set a custom AuthenticationManager https://javadoc.io/doc/org.springframework.security/spring-security-core/latest/org/springframework/security/authentication/AuthenticationProvider.html

There are several of these built into spring. For instance if you want to authenticate with username and password, or by presenting a token or a cookie, or by presenting a certificate you can a specific authentication manager. Or you can write a custom one if you want to authenticate someone in a specific way.

Last three lines say that any exchanges (requests) need to authenticated.

CodePudding user response：

This is called a type-safe builder pattern. It is used in Kotlin mostly to create objects declaratively and/or provide a DSL by a library. It is one of the most advanced features of Kotlin, so it is not easy to explain in a few sentences, but above example works like this:

1. http() is a higher-order function that receives a lambda meant to configure http object.
2. http() executes this lambda, providing some kind of a "http scope" or "http builder" object to the lambda. Lambda receives this parameter as this, so we can access its members implicitly. (I don't know what is the specific type of this scope/builder object, you can check it by control-clicking on http)
3. Lambda can configure http object being created by accessing members of the provided scope/builder. x509() and authorizeExchange() are members of the builder or extensions on it. We can invoke them out of nowhere inside http {} block, because there the builder is our this, so all its members are resolved implicitly.
4. x509() and authorizeExchange() do the same thing as http(). They accept lambda and provide another builder to lambdas.