I have config class for RSocketSecurity Something like that
@Configuration
@EnableRSocketSecurity
@EnableReactiveMethodSecurity
class RSocketAuthConfiguration {
and authorization for it (allows only authenticated users to subscribe )
security.addPayloadInterceptor(interceptor).authorizePayload {
it.setup().authenticated().anyRequest().permitAll()
}
I want to set some routes with public access, but most of them should be with authorization. What is the best way to achieve that?
CodePudding user response:
Something along the following lines should work:
@Configuration
@EnableRSocketSecurity
@EnableReactiveMethodSecurity
class RSocketSecurityConfiguration(val authenticationService: AuthenticationService) {
@Bean
fun authorization(security: RSocketSecurity): PayloadSocketAcceptorInterceptor {
return security
.authorizePayload {
it.route("route-A").hasRole("role-A")
.route("route-B").permitAll()
}
.simpleAuthentication(Customizer.withDefaults())
.authenticationManager(authenticationService)
.build()
}
}
route-A is authenticated and requires role-A while route-B is publicly available.
CodePudding user response:
Spring Security Rsocket configures the setup and route respectively.
The following is an example of the configuration part.
@Bean
public PayloadSocketAcceptorInterceptor rsocketInterceptor(RSocketSecurity rsocket) {
return rsocket
.authorizePayload(
authorize -> {
authorize
// must have ROLE_SETUP to make connection
.setup().hasRole("SETUP")
// must have ROLE_ADMIN for routes starting with "greet."
.route("greet*").hasRole("ADMIN")
// any other request must be authenticated for
.anyRequest().authenticated();
}
)
.basicAuthentication(Customizer.withDefaults())
.build();
}
Get the complete example from my Github.