Provide a ReactiveSecurityEvaluationContextExtension via spring-security-data

[christophstrobl]

Expected Behavior

Add a ReactiveSecurityEvaluationContextExtension (similar to the existing SecurityEvaluationContextExtension) that provides access to the Authentication object obtained from a Reactor Context, so that it can be used within SpEL expressions of annotated Spring Data queries.

@Query("select m from Message m where m.to.id = ?#{ principal?.id }")
Flux<Message> findInbox();

Context

Spring Data Commons 2.4.0.M2 now contains the required SPI (ReactiveEvaluationContextExtension) to implement reactive SpEL evaluation extensions. (see: DATACMNS-1108)

[ThomasVitale]

@jzheaux can I help with this task?

[jzheaux]

Sure, @ThomasVitale, thanks for the offer!

Since ReactiveEvaluationContextExtension returns a Mono<? extends EvaluationContextExtension>, let's try and reuse SecurityEvaluationContextExtension. I'm thinking something like:

ReactiveSecurityContextHolder.getContext()
    .map(SecurityContext::getAuthentication)
    .map(SecurityEvaluationContextExtension::new)

would work nicely.

@christophstrobl, does getExtensionId need to return something different from SecurityEvaluationContextExtension ("security"), and if so, is there a naming convention that's being followed?

[antoinechamot]

It doesn't work I have "Authentication object cannot be null" with

 @Bean
    ReactiveEvaluationContextExtension securityExtension(){

        return new ReactiveEvaluationContextExtension() {

            @Override
            public String getExtensionId() {
                return "security";
            }

            @Override
            public Mono<? extends EvaluationContextExtension> getExtension() {
                return ReactiveSecurityContextHolder.getContext()
                        .map(SecurityContext::getAuthentication)
                        .map(SecurityEvaluationContextExtension::new);
            }
        };
    }

And
@Query("{ $or :[ {'authorId': ?#{principal?.subject}}, {'assigneeId': ?#{principal?.subject}} ] }")

[jzheaux]

@ThomasVitale is this something you are able to add?

Thanks for trying this out @antoinechamot. I can confirm that it works when I modify the MongoDB Spring Data example to include Spring Security and the code you posted. I wonder if your application is using reactive repositories and if the user is authenticated.