Last active
July 19, 2020 18:46
-
-
Save krnbr/e78769cb4cec2053bc5d1e037a81ca5d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@Bean | |
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? { | |
val httpClient = HttpClient.create() | |
.tcpConfiguration{client -> client.option(ChannelOption.CONNECT_TIMEOUT_MILLIS, 10000)} | |
.secure { sslContextSpec: SslProvider.SslContextSpec -> sslContextSpec.sslContext(sslContextBuilder(keyStoreContent, keyStorePassword, trustStoreContent, trustStorePassword)) } | |
val httpConnector: ClientHttpConnector = ReactorClientHttpConnector(httpClient) | |
val builder = NimbusReactiveJwtDecoder | |
.withJwkSetUri("https://<host>/.well-known/jwks.json") | |
.webClient(WebClient.builder().clientConnector(httpConnector).build()) | |
http | |
.authorizeExchange() | |
// health and info url's will be open(permitted to all) others will be checked for authorization | |
.matchers(EndpointRequest.to(HealthEndpoint::class.java, InfoEndpoint::class.java)).permitAll() | |
// all other endpoints will require the scope to be "admin" | |
.matchers(EndpointRequest.toAnyEndpoint()).access(HasScope("admin")) | |
.anyExchange().authenticated() | |
.and() | |
.oauth2ResourceServer() | |
.authenticationEntryPoint(authenticationEntryPoint()) | |
.accessDeniedHandler(accessDeniedHandler()) | |
.jwt() | |
.jwtDecoder(builder.build()) | |
return http.build() | |
} | |
private fun sslContextBuilder(keyStoreContent:String, keyStorePassword:String, trustStoreContent:String, trustStorePassword:String): SslContext { | |
// keyStoreContent And trustStoreContent base64 encoded Strings of the client JKS | |
// refer the util at -> https://gist.github.com/krnbr/5c9aecd9e1b3a2f949da17dc646978c8 | |
val keyManagerFactory: KeyManagerFactory = getKeyStore(keyStoreContent, keyStorePassword) | |
val trustManagerFactory: TrustManagerFactory = getTrustStore(trustStoreContent, trustStorePassword) | |
return SslContextBuilder.forClient() | |
.clientAuth(ClientAuth.REQUIRE) | |
.keyManager(keyManagerFactory) | |
.trustManager(trustManagerFactory) | |
.build() | |
} | |
/* | |
* Create the Key Store. | |
*/ | |
private fun getKeyStore(keystoreContent: String, keyStorePassword: String): KeyManagerFactory { | |
val keyStore = KeyStore.getInstance("JKS") | |
val decoder = Base64.getMimeDecoder() | |
val inputStream = ByteArrayInputStream(decoder.decode(keystoreContent)) | |
keyStore.load(inputStream, keyStorePassword?.toCharArray()) | |
val kmf = KeyManagerFactory.getInstance("SunX509") | |
kmf.init(keyStore, keyStorePassword.toCharArray()) | |
return kmf | |
} | |
/* | |
* Create the Trust Store. | |
*/ | |
private fun getTrustStore(truststoreContent: String, trustStorePassword: String): TrustManagerFactory { | |
val trustStore = KeyStore.getInstance("JKS") | |
val decoder = Base64.getMimeDecoder() | |
val inputStream = ByteArrayInputStream(decoder.decode(truststoreContent)) | |
trustStore.load(inputStream, trustStorePassword?.toCharArray()) | |
val tmf = FingerprintTrustManagerFactory.getInstance(FingerprintTrustManagerFactory.getDefaultAlgorithm()) | |
tmf.init(trustStore) | |
return tmf | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment