spring security - How @PreAuthorize is working in an Reactive Application or how to live without ThreadLocal?

Question

Can you explain where the advice handling @PreAuthorize("hasRole('ADMIN')") retrieves the SecurityContext in a Reactive application?

The following Spring Security example is a good illustration of this kind of usage: https://github.com/spring-projects/spring-security/tree/5.0.0.M4/samples/javaconfig/hellowebflux-method

After checking the Spring Security Webflux source code, I've found some implementations of SecurityContextRepository but the load method needs the ServerWebExchange as a parameter.

I'm trying to understand how to replace SecurityContextHolder.getContext().getAuthentication() call in a standard service (because ThreadLocal is no longer an option in a Reactive Application), but I don't understand how to replace this with a call to a SecurityContextRepository without a reference on the ServerWebExchange.

Answer 1

The ReactiveSecurityContextHolder provides the authentication in a reactive way, and is analogous to SecurityContextHolder.

Its getContext() method provides a Mono<SecurityContext>, just like SecurityContextHolder.getContext() provides a SecurityContext.

ReactiveSecurityContextHolder
                    .getContext()
                    .map(context ->
                            context.getAuthentication()