ReactiveSecurityContextHolder does not return Authenticated

我正在尝试在响应式Spring Boot应用程序中配置Spring Security，并包括依赖于新的Spring Security版本5.0.0的父项目。RC1:

<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.0.M6</version>
</parent>

我将我的SpringWebSecurity配置为使用自定义AuthenticationFilter来检索我的身份验证信息，以及使用我自己的Providers的自定义AuthenticationManager。

配置：

@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class WebSecurityConfig {
private ServerAuthenticationEntryPoint entryPoint = new CustomServerAuthenticationEntryPoint();
@Bean
SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
return http
// we rely on method security
.authorizeExchange()
.anyExchange().permitAll()
.and()
.logout().disable()
.authenticationManager(authenticationManager())
//Override BasicAuthenticationEntryPoint
.exceptionHandling().serverAuthenticationEntryPoint(this.entryPoint)
.and()
.addFilterAt(upmAuthenticationWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
.build();
}

private ReactiveAuthenticationManager authenticationManager() {
return new CustomReactiveAuthenticationManager()
.authenticationProvider(new CustomAuthenticationProvider());
}
private AuthenticationWebFilter upmAuthenticationWebFilter() {
try {
AuthenticationWebFilter authenticationFilter = new AuthenticationWebFilter(authenticationManager());
authenticationFilter.setServerAuthenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(this.entryPoint));
authenticationFilter.setAuthenticationConverter(new CustomAuthenticationConverter(););
return authenticationFilter;
} catch (Exception e) {
throw new BeanInitializationException("Could not initialize AuthenticationWebFilter.", e);
}
}
}

ReactiveAuthenticationManager:

public class CustomReactiveAuthenticationManager implements ReactiveAuthenticationManager {
private List<AuthenticationProvider> authenticationProvider = new ArrayList<>();
public CustomReactiveAuthenticationManager customAuthenticationProvider(
final AuthenticationProvider customAuthenticationProvider) {
this.authenticationProvider.add(customAuthenticationProvider);
return this;
}
@Override
public Mono<Authentication> authenticate(final Authentication authentication) {
Class<? extends Authentication> toTest = authentication.getClass();
for(AuthenticationProvider provider: authenticationProvider) {
if (provider.supports(toTest)) {
try {
//The provider returns a full authenticated Authentication object.
//With authentication.setAuthenticated(true);
return Mono.just(provider.authenticate(authentication));
} catch (Exception e) {
return Mono.error(new BadCredentialsException("Invalid Credentials"));
}
}
}
return Mono.error(new ProviderNotFoundException("Unsupported Credentials"));
}
}

当我现在对需要经过身份验证的用户的端点执行调用时。As：

public interface HelloService {
/**
* This method returns just 'Hello, world!'.
*
* @return Return 'Hello, world!'.
*/
@PreAuthorize("isAuthenticated()")
Mono<String> getHelloWorld();
}

我总是收到401访问拒绝异常。

在PrePostAdviceReactiveMethodInterceptor线路75 上调试后

auth -> this.preInvocationAdvice.before(auth, invocation, preAttr)

我看到传递的Authentication对象是一个匿名用户。

现在我的问题是：我是否忘记为使用ReactiveSecurityContext配置一些内容？

上周，我仍然使用了以前的MilestoneRelease M5，其中的reactive Spring Security包仍然位于Spring Security reactive下的额外位置。在这种情况下，检索到了身份验证对象，我的请求就可以完成了。