reactive-security-auth

Spring 5 Reactive Security Authentication and Authorization

authentication

bash gradlew reactive-backend:bootRun

http :8001/first                    # HTTP/1.1 401 Unauthorized
http --auth wrong:wrong :8001/first # HTTP/1.1 401 Unauthorized
http --auth user:user :8001/first   # HTTP/1.1 200 OK

authorization

http --auth user:user :8001/         # HTTP/1.1 403 Forbidden
http --auth user:user :8001/all      # HTTP/1.1 403 Forbidden
http --auth user:user :8001/all/user # HTTP/1.1 200 OK

http --auth admin:admin :8001/       # HTTP/1.1 200 OK

client

bash gradlew -Dspring.profiles.active=unauth reactive-client:bootRun
http :8002/stream --stream # HTTP/1.1 500 Internal Server Error
bash gradlew --stop

bash gradlew -Dspring.profiles.active=default reactive-client:bootRun
http :8002/stream --stream # HTTP/1.1 200 OK
Content-Type: text/event-stream
transfer-encoding: chunked

data:{"movie":{"id":"59b3478b6f7a24cbcac96dd8","title":"trololo"},"updatedAt":[2017,9,9,4,50,39,777000000]}

data:{"movie":{"id":"59b3478b6f7a24cbcac96dd7","title":"ololo"},"updatedAt":[2017,9,9,4,50,39,777000000]}
# ...

REST API (GET)

failed flow

1. :client examine (unauthorized) GET request to the :8002 (http :8002) ->
2.   :8002 response back 401 error to the :client

success flow

1. :client examine (unauthorized) GET request to the :8001 (http :8001) ->
2.   :8001 doing authorization on it's side (http --auth user:user ...) ->
3.     :8001 examine (authorized) GET request to the :8002 (http :8002) ->
4.       :8002 response back to :8001 ->
5.         :8001 respond back to :client

1.1. build run and test

$ bash gradlew bootRun

1.2. unauthorizated request

$ http :8001
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0
Pragma: no-cache
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1 ; mode=block
content-length: 0

1.3. authorizated request

$ http :8002
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
transfer-encoding: chunked

[
    {
        "id": "59abc107f6abd51a25d45fa2",
        "title": "ololo"
    },
    {
        "id": "59abc107f6abd51a25d45fa3",
        "title": "trololo"
    }
]

streaming API

success flow

1. :client examine (unauthorized) GET request to the :8001 (http :8001/stream) ->
2.   :8001 doing authorization on it's side (http --auth user:user ...) ->
3.     :8001 examine (authorized) GET request to the :8002 (http :8002) ->
4.       :8002 response back flux of movies to :8001 ->
5.         :8001 examine (authorized) GET request to the :8002 (http :8002/events/$id) for each reseived response id ->
6.           :8002 response back infinity stream of movie events to the :8001 ->
7.             :8001 respond back to :client all reseiving stream of fluxes (amount depends on first response)

authorizated request

$ http --stream :8002/stream
HTTP/1.1 200 OK
Content-Type: text/event-stream
transfer-encoding: chunked

data:{"movie":{"id":"59abd152f6abd52719aa2dd2","title":"ololo"},"updatedAt":[2017,9,3,13,10,13,16000000]}

data:{"movie":{"id":"59abd152f6abd52719aa2dd3","title":"trololo"},"updatedAt":[2017,9,3,13,10,13,16000000]}

data:{"movie":{"id":"59abd152f6abd52719aa2dd3","title":"trololo"},"updatedAt":[2017,9,3,13,10,14,23000000]}

data:{"movie":{"id":"59abd152f6abd52719aa2dd2","title":"ololo"},"updatedAt":[2017,9,3,13,10,14,22000000]}

data:{"movie":{"id":"59abd152f6abd52719aa2dd3","title":"trololo"},"updatedAt":[2017,9,3,13,10,15,17000000]}

data:{"movie":{"id":"59abd152f6abd52719aa2dd2","title":"ololo"},"updatedAt":[2017,9,3,13,10,15,16000000]}