Open pluttrell opened 5 years ago
What would be the best way to detect that reactive spring security is enabled? Is it possible that both the normal and reactive spring security are used in the same application?
I'm not sure what the best way to detect it would be. Spring's starter might provide some clues. Perhaps the presence of an org.springframework.security.authentication.ReactiveAuthenticationManager
?
Regarding having both, I believe that would be considered an error. Reactive apps need to be entirely non-blocking because if some blocking code gets executed it'll block the cores from doing other work and likely drastically impact performance. So if an app is Reactive, it must be entirely Reactive.
Any luck with this yet?
Bump
Can someone create a sample project that uses reactive grpc and already uses reactive-web-security (e.g. fixed basic auth credentials)? Then I will use it to create the reactive grpc-security part.
@pluttrell @ST-DDT
Hi, are there any updates on this topic? I'm interested as well.
The AuthenticatingServerInterceptor uses the
SecurityContextHolder.getContext().setAuthentication(authentication)
which won't work for Reactive Spring Security. We believe thatReactiveSecurityContextHolder
should be used instead as shown in this example.Perhaps one option might be to place the
Authentication
instance in the gRPC Context only and then when needed in the Reactive context, extract it and place it in the Reactive SubscriberContext.It'd also be great to have an example of how to set this up.