Add RSocket Authentication Extension Support

Fixes gh-7935

Author: rwinch

config/src/main/java/org/springframework/security/config/annotation/rsocket/RSocketSecurity.java

@@ -30,6 +30,7 @@
 import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
 import org.springframework.security.oauth2.server.resource.authentication.JwtReactiveAuthenticationManager;
 import org.springframework.security.rsocket.api.PayloadInterceptor;
+import org.springframework.security.rsocket.authentication.AuthenticationPayloadExchangeConverter;
 import org.springframework.security.rsocket.core.PayloadSocketAcceptorInterceptor;
 import org.springframework.security.rsocket.authentication.AnonymousPayloadInterceptor;
 import org.springframework.security.rsocket.authentication.AuthenticationPayloadInterceptor;
@@ -44,6 +45,7 @@
 import reactor.core.publisher.Mono;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 
 /**
@@ -116,6 +118,8 @@ public class RSocketSecurity {
 
 	private BasicAuthenticationSpec basicAuthSpec;
 
+	private SimpleAuthenticationSpec simpleAuthSpec;
+
 	private JwtSpec jwtSpec;
 
 	private AuthorizePayloadsSpec authorizePayload;
@@ -145,6 +149,58 @@ public RSocketSecurity authenticationManager(ReactiveAuthenticationManager authe
 		return this;
 	}
 
+	/**
+	 * Adds support for validating a username and password using
+	 * <a href="https://github.com/rsocket/rsocket/blob/5920ed374d008abb712cb1fd7c9d91778b2f4a68/Extensions/Security/Simple.md">Simple Authentication</a>
+	 * @param simple a customizer
+	 * @return RSocketSecurity for additional configuration
+	 * @since 5.3
+	 */
+	public RSocketSecurity simpleAuthentication(Customizer<SimpleAuthenticationSpec> simple) {
+		if (this.simpleAuthSpec == null) {
+			this.simpleAuthSpec = new SimpleAuthenticationSpec();
+		}
+		simple.customize(this.simpleAuthSpec);
+		return this;
+	}
+
+	/**
+	 * @since 5.3
+	 */
+	public class SimpleAuthenticationSpec {
+		private ReactiveAuthenticationManager authenticationManager;
+
+		public SimpleAuthenticationSpec authenticationManager(ReactiveAuthenticationManager authenticationManager) {
+			this.authenticationManager = authenticationManager;
+			return this;
+		}
+
+		private ReactiveAuthenticationManager getAuthenticationManager() {
+			if (this.authenticationManager == null) {
+				return RSocketSecurity.this.authenticationManager;
+			}
+			return this.authenticationManager;
+		}
+
+		protected AuthenticationPayloadInterceptor build() {
+			ReactiveAuthenticationManager manager = getAuthenticationManager();
+			AuthenticationPayloadInterceptor result = new AuthenticationPayloadInterceptor(manager);
+			result.setAuthenticationConverter(new AuthenticationPayloadExchangeConverter());
+			result.setOrder(PayloadInterceptorOrder.AUTHENTICATION.getOrder());
+			return result;
+		}
+
+		private SimpleAuthenticationSpec() {}
+	}
+
+	/**
+	 * Adds authentication with BasicAuthenticationPayloadExchangeConverter.
+	 *
+	 * @param basic
+	 * @return
+	 * @deprecated Use {@link #simpleAuthentication(Customizer)}
+	 */
+	@Deprecated
 	public RSocketSecurity basicAuthentication(Customizer<BasicAuthenticationSpec> basic) {
 		if (this.basicAuthSpec == null) {
 			this.basicAuthSpec = new BasicAuthenticationSpec();
@@ -206,12 +262,17 @@ private ReactiveAuthenticationManager getAuthenticationManager() {
 			return RSocketSecurity.this.authenticationManager;
 		}
 
-		protected AuthenticationPayloadInterceptor build() {
+		protected List<AuthenticationPayloadInterceptor> build() {
 			ReactiveAuthenticationManager manager = getAuthenticationManager();
-			AuthenticationPayloadInterceptor result = new AuthenticationPayloadInterceptor(manager);
-			result.setAuthenticationConverter(new BearerPayloadExchangeConverter());
-			result.setOrder(PayloadInterceptorOrder.AUTHENTICATION.getOrder());
-			return result;
+			AuthenticationPayloadInterceptor legacy = new AuthenticationPayloadInterceptor(manager);
+			legacy.setAuthenticationConverter(new BearerPayloadExchangeConverter());
+			legacy.setOrder(PayloadInterceptorOrder.AUTHENTICATION.getOrder());
+
+			AuthenticationPayloadInterceptor standard = new AuthenticationPayloadInterceptor(manager);
+			standard.setAuthenticationConverter(new AuthenticationPayloadExchangeConverter());
+			standard.setOrder(PayloadInterceptorOrder.AUTHENTICATION.getOrder());
+
+			return Arrays.asList(standard, legacy);
 		}
 
 		private JwtSpec() {}
@@ -240,8 +301,11 @@ private List<PayloadInterceptor> payloadInterceptors() {
 		if (this.basicAuthSpec != null) {
 			result.add(this.basicAuthSpec.build());
 		}
+		if (this.simpleAuthSpec != null) {
+			result.add(this.simpleAuthSpec.build());
+		}
 		if (this.jwtSpec != null) {
-			result.add(this.jwtSpec.build());
+			result.addAll(this.jwtSpec.build());
 		}
 		result.add(anonymous());
 

config/src/main/java/org/springframework/security/config/annotation/rsocket/SecuritySocketAcceptorInterceptorConfiguration.java

@@ -47,6 +47,7 @@ private PayloadSocketAcceptorInterceptor defaultInterceptor(
 		}
 		rsocket
 			.basicAuthentication(Customizer.withDefaults())
+			.simpleAuthentication(Customizer.withDefaults())
 			.authorizePayload(authz ->
 				authz
 					.setup().authenticated()

config/src/test/java/org/springframework/security/config/annotation/rsocket/JwtITests.java

@@ -15,10 +15,6 @@
  */
 package org.springframework.security.config.annotation.rsocket;
 
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
 import io.rsocket.RSocketFactory;
 import io.rsocket.frame.decoder.PayloadDecoder;
 import io.rsocket.transport.netty.server.CloseableChannel;
@@ -27,8 +23,6 @@
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
-import reactor.core.publisher.Mono;
-
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -43,12 +37,20 @@
 import org.springframework.security.oauth2.jwt.TestJwts;
 import org.springframework.security.rsocket.core.PayloadSocketAcceptorInterceptor;
 import org.springframework.security.rsocket.core.SecuritySocketAcceptorInterceptor;
-import org.springframework.security.rsocket.metadata.BasicAuthenticationEncoder;
+import org.springframework.security.rsocket.metadata.BearerTokenAuthenticationEncoder;
 import org.springframework.security.rsocket.metadata.BearerTokenMetadata;
 import org.springframework.stereotype.Controller;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.util.MimeType;
+import org.springframework.util.MimeTypeUtils;
+import reactor.core.publisher.Mono;
 
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import static io.rsocket.metadata.WellKnownMimeType.MESSAGE_RSOCKET_AUTHENTICATION;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.mock;
@@ -95,7 +97,7 @@ public void dispose() {
 	}
 
 	@Test
-	public void routeWhenAuthorized() {
+	public void routeWhenBearerThenAuthorized() {
 		BearerTokenMetadata credentials =
 				new BearerTokenMetadata("token");
 		when(this.decoder.decode(any())).thenReturn(Mono.just(jwt()));
@@ -112,6 +114,26 @@ public void routeWhenAuthorized() {
 		assertThat(hiRob).isEqualTo("Hi rob");
 	}
 
+	@Test
+	public void routeWhenAuthenticationBearerThenAuthorized() {
+		MimeType authenticationMimeType = MimeTypeUtils.parseMimeType(MESSAGE_RSOCKET_AUTHENTICATION.getString());
+
+		BearerTokenMetadata credentials =
+				new BearerTokenMetadata("token");
+		when(this.decoder.decode(any())).thenReturn(Mono.just(jwt()));
+		this.requester = requester()
+				.setupMetadata(credentials, authenticationMimeType)
+				.connectTcp(this.server.address().getHostName(), this.server.address().getPort())
+				.block();
+
+		String hiRob = this.requester.route("secure.retrieve-mono")
+				.data("rob")
+				.retrieveMono(String.class)
+				.block();
+
+		assertThat(hiRob).isEqualTo("Hi rob");
+	}
+
 	private Jwt jwt() {
 		return TestJwts.jwt()
 				.claim(IdTokenClaimNames.ISS, "https://issuer.example.com")
@@ -145,7 +167,7 @@ public RSocketMessageHandler messageHandler() {
 		@Bean
 		public RSocketStrategies rsocketStrategies() {
 			return RSocketStrategies.builder()
-					.encoder(new BasicAuthenticationEncoder())
+					.encoder(new BearerTokenAuthenticationEncoder())
 					.build();
 		}
 
@@ -154,7 +176,7 @@ PayloadSocketAcceptorInterceptor rsocketInterceptor(RSocketSecurity rsocket) {
 			rsocket
 				.authorizePayload(authorize ->
 					authorize
-						.route("secure.admin.*").authenticated()
+						.anyRequest().authenticated()
 						.anyExchange().permitAll()
 				)
 				.jwt(Customizer.withDefaults());