How to get current authenticated user in Spring WebFlux

Question

I'm trying to retrieve authentication object, which creates user name and permissions. I know that in WebFlux I cannot use SecurityContextHolder.getContext(), but rather must use ReactiveSecurityContextHolder.getContext()

But in both cases, result is null.

        val autx = ReactiveSecurityContextHolder.getContext()
            .map(SecurityContext::getAuthentication) // always null

or

        val auth = ReactiveSecurityContextHolder.getContext().filter { it.authentication != null }
            .map { it.authentication.principal }.block() // always null

I understand, that before retrieve auth object from ReactiveSecurityContextHolder, someone must put it into there. Cannot find any example how to do that, and where in the code it should be populated. Ideally, I think it should be in the ReactiveAuthenticationManager implementation in the authenticate method.
I added this into authenticate method:

                ReactiveSecurityContextHolder.getContext()
                    .map { context: SecurityContext ->
                        context.authentication.principal
                    }
                    .cast(UserData::class.java)
                    .contextWrite(ReactiveSecurityContextHolder.withAuthentication(authentication))
                    .subscribe()

but it doesnt change anything

working examples on Java or Kotlin are appreciated

configuration:

@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http.authorizeExchange()
        .pathMatchers("**/health").permitAll()
        .pathMatchers("/**").authenticated()
        .anyExchange().authenticated()
        .and()
        .authenticationManager(authenticationManager) // ReactiveAuthenticationManager impl
        .securityContextRepository(securityContextRepository)
        .csrf().disable()
        .cors().configurationSource(corsConfig())
        .and()
        .build()
}

context repository:

@Component
class SecurityContextRepository(
    val authenticationManager: ReactiveAuthenticationManager
) : ServerSecurityContextRepository {

    override fun save(swe: ServerWebExchange, sc: SecurityContext): Mono<Void> {
        throw UnsupportedOperationException("SecurityContext save not supported")
        // if i want to save, what should be there? 
    }

    override fun load(serverExchange: ServerWebExchange): Mono<SecurityContext> {
        val authHeader = serverExchange.request.headers.getFirst(HttpHeaders.AUTHORIZATION)
        val preAuthentication = PreAuthenticatedAuthenticationToken(null, authHeader)
        return this.authenticationManager.authenticate(preAuthentication)
            .map { authentication -> SecurityContextImpl(authentication) }
    }
}

Answer 1

You need to define WebFlux Security configuration using SecurityWebFilterChain bean. Here is an example for OAuth 2.0 Resource Server:

@Bean
public SecurityWebFilterChain apiSecurity(ServerHttpSecurity http) {
    http.authorizeExchange()
            .pathMatchers("/api/**").hasAuthority("SCOPE_api")
            .anyExchange().authenticated()
            .and()
            .oauth2ResourceServer()
            .jwt();
    return http.build();
}

You can find more details here WebFlux Security