krnbr/Config.java

## Config.java
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {

    val httpClient = HttpClient.create()
            .tcpConfiguration{client -> client.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000)}
            .secure { sslContextSpec: SslProvider.SslContextSpec -> sslContextSpec.sslContext(sslContextBuilder(keyStoreContent, keyStorePassword, trustStoreContent, trustStorePassword)) }
    val httpConnector: ClientHttpConnector = ReactorClientHttpConnector(httpClient)

    val builder = NimbusReactiveJwtDecoder
            .withJwkSetUri("https://<host>/.well-known/jwks.json")
            .webClient(WebClient.builder().clientConnector(httpConnector).build())

    http
            .authorizeExchange()
            // health and info url's will be open(permitted to all) others will be checked for authorization
            .matchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll()
            // all other endpoints will require the scope to be "admin"
            .matchers(EndpointRequest.toAnyEndpoint()).access(HasScope("admin"))
            .anyExchange().authenticated()
            .and()
            .oauth2ResourceServer()
            .authenticationEntryPoint(authenticationEntryPoint())
            .accessDeniedHandler(accessDeniedHandler())
            .jwt()
            .jwtDecoder(builder.build())

    return http.build()
}

private fun sslContextBuilder(keyStoreContent:String, keyStorePassword:String, trustStoreContent:String, trustStorePassword:String): SslContext {

    // keyStoreContent And trustStoreContent base64 encoded Strings of the client JKS
    // refer the util at -> https://gist.github.com/krnbr/5c9aecd9e1b3a2f949da17dc646978c8
    val keyManagerFactory: KeyManagerFactory = getKeyStore(keyStoreContent, keyStorePassword)
    val trustManagerFactory: TrustManagerFactory = getTrustStore(trustStoreContent, trustStorePassword)
    return SslContextBuilder.forClient()
            .clientAuth(ClientAuth.REQUIRE)
            .keyManager(keyManagerFactory)

            .trustManager(trustManagerFactory)
            .build()
}

/*
 * Create the Key Store.
 */
private fun getKeyStore(keystoreContent: String, keyStorePassword: String): KeyManagerFactory {
    val keyStore = KeyStore.getInstance("JKS")
    val decoder = Base64.getMimeDecoder()
    val inputStream = ByteArrayInputStream(decoder.decode(keystoreContent))
    keyStore.load(inputStream, keyStorePassword?.toCharArray())
    val kmf = KeyManagerFactory.getInstance("SunX509")
    kmf.init(keyStore, keyStorePassword.toCharArray())
    return kmf
}
/*
 * Create the Trust Store.
 */
private fun getTrustStore(truststoreContent: String, trustStorePassword: String): TrustManagerFactory {
    val trustStore = KeyStore.getInstance("JKS")
    val decoder = Base64.getMimeDecoder()
    val inputStream = ByteArrayInputStream(decoder.decode(truststoreContent))
    trustStore.load(inputStream, trustStorePassword?.toCharArray())
    val tmf = FingerprintTrustManagerFactory.getInstance(FingerprintTrustManagerFactory.getDefaultAlgorithm())
    tmf.init(trustStore)
    return tmf
}
	@Bean
	fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {

	val httpClient = HttpClient.create()
	.tcpConfiguration{client -> client.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000)}
	.secure { sslContextSpec: SslProvider.SslContextSpec -> sslContextSpec.sslContext(sslContextBuilder(keyStoreContent, keyStorePassword, trustStoreContent, trustStorePassword)) }
	val httpConnector: ClientHttpConnector = ReactorClientHttpConnector(httpClient)

	val builder = NimbusReactiveJwtDecoder
	.withJwkSetUri("https://<host>/.well-known/jwks.json")
	.webClient(WebClient.builder().clientConnector(httpConnector).build())

	http
	.authorizeExchange()
	// health and info url's will be open(permitted to all) others will be checked for authorization
	.matchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll()
	// all other endpoints will require the scope to be "admin"
	.matchers(EndpointRequest.toAnyEndpoint()).access(HasScope("admin"))
	.anyExchange().authenticated()
	.and()
	.oauth2ResourceServer()
	.authenticationEntryPoint(authenticationEntryPoint())
	.accessDeniedHandler(accessDeniedHandler())
	.jwt()
	.jwtDecoder(builder.build())

	return http.build()
	}

	private fun sslContextBuilder(keyStoreContent:String, keyStorePassword:String, trustStoreContent:String, trustStorePassword:String): SslContext {

	// keyStoreContent And trustStoreContent base64 encoded Strings of the client JKS
	// refer the util at -> https://gist.github.com/krnbr/5c9aecd9e1b3a2f949da17dc646978c8
	val keyManagerFactory: KeyManagerFactory = getKeyStore(keyStoreContent, keyStorePassword)
	val trustManagerFactory: TrustManagerFactory = getTrustStore(trustStoreContent, trustStorePassword)
	return SslContextBuilder.forClient()
	.clientAuth(ClientAuth.REQUIRE)
	.keyManager(keyManagerFactory)

	.trustManager(trustManagerFactory)
	.build()
	}

	/*
	* Create the Key Store.
	*/
	private fun getKeyStore(keystoreContent: String, keyStorePassword: String): KeyManagerFactory {
	val keyStore = KeyStore.getInstance("JKS")
	val decoder = Base64.getMimeDecoder()
	val inputStream = ByteArrayInputStream(decoder.decode(keystoreContent))
	keyStore.load(inputStream, keyStorePassword?.toCharArray())
	val kmf = KeyManagerFactory.getInstance("SunX509")
	kmf.init(keyStore, keyStorePassword.toCharArray())
	return kmf
	}
	/*
	* Create the Trust Store.
	*/
	private fun getTrustStore(truststoreContent: String, trustStorePassword: String): TrustManagerFactory {
	val trustStore = KeyStore.getInstance("JKS")
	val decoder = Base64.getMimeDecoder()
	val inputStream = ByteArrayInputStream(decoder.decode(truststoreContent))
	trustStore.load(inputStream, trustStorePassword?.toCharArray())
	val tmf = FingerprintTrustManagerFactory.getInstance(FingerprintTrustManagerFactory.getDefaultAlgorithm())
	tmf.init(trustStore)
	return tmf
	}