Summary

From #5328 , in ServerHttpSecurity, ServerFormLoginAuthenticationConverter and ServerHttpBasicAuthenticationConverter are set as default but can't change by java fluent api config.

Expected Behavior

hope it can set like:

http.formLogin().authenticationConverter(custonConverter);

Comment From: rwinch

@zjengjie Thank you for the report. Can you explain why this should be configurable? formLogin() means that you will obtain the parameters from a form. If you want to do another kind of authentication, it probably makes sense to inject a custom instance of AuthenticationWebFilter

Comment From: zjengjie

Oh, I just want put some request detail(IP, headers, cookies etc.) to Authentication's detail, with that we can do something like IP filter, I don't know whether there is some other way we can do this. I use RequestContextHolder to get request before.

I do the check method in a custom ReactiveAuthenticationManager, I can't obtain a ServerExchange in it.

Or maybe add a custom AuthenticationDetailsSource to AuthenticationConverter alse be fine?

Comment From: adarakhovich

Security configuration without configurable AuthenticationConverter:

@Bean
  SecurityWebFilterChain springWebFilterChain(
      ServerHttpSecurity http,
      CustomAuthErrorHandler errorHandler,
      JwtPayloadAuthenticationConverter converter) throws Exception {

    http = http
        .authenticationManager(jwtPayloadReactiveAuthenticationManager())
        .exceptionHandling()
        .accessDeniedHandler(errorHandler)
        .authenticationEntryPoint(errorHandler)
        .and()
        .csrf().disable();

    AuthenticationWebFilter filter = createJwtPayloadAuthenticationFilter(errorHandler, converter);
    http.addFilterAt(filter, SecurityWebFiltersOrder.AUTHENTICATION);

    return http.build();
  }

  private AuthenticationWebFilter createJwtPayloadAuthenticationFilter(
      CustomAuthErrorHandler errorHandler, JwtPayloadAuthenticationConverter converter) {

    AuthenticationWebFilter authenticationFilter =
        new AuthenticationWebFilter(jwtPayloadReactiveAuthenticationManager());

    authenticationFilter.setAuthenticationFailureHandler(
        new ServerAuthenticationEntryPointFailureHandler(errorHandler)
    );

    authenticationFilter.setAuthenticationConverter(converter);

    return authenticationFilter;
  }

  @Bean
  CustomAuthErrorHandler errorHandler(RestExceptionHandlerHelper exceptionHandlerHelper) {
    return new CustomAuthErrorHandler(exceptionHandlerHelper);
  }

  @Bean
  JwtPayloadAuthenticationConverter converter(ObjectMapper objectMapper) {
    return new JwtPayloadAuthenticationConverter(objectMapper);
  }

  @Bean
  ReactiveAuthenticationManager jwtPayloadReactiveAuthenticationManager() {
    return authentication -> {
      authentication.setAuthenticated(true);
      return Mono.just(authentication);
    };
  }

If it be opportunity to set custom AuthenticationConverter, then my configuration will be the next: 

@Bean
  SecurityWebFilterChain springWebFilterChain(
      ServerHttpSecurity http,
      CustomAuthErrorHandler errorHandler,
      JwtPayloadAuthenticationConverter converter) throws Exception {

    return  http
        .authenticationManager(jwtPayloadReactiveAuthenticationManager())
        .authenticationConverter(converter)
        .exceptionHandling()
        .accessDeniedHandler(errorHandler)
        .authenticationEntryPoint(errorHandler)
        .and()
        .csrf().disable()
        .build();
  }

  @Bean
  CustomAuthErrorHandler errorHandler(RestExceptionHandlerHelper exceptionHandlerHelper) {
    return new CustomAuthErrorHandler(exceptionHandlerHelper);
  }

  @Bean
  JwtPayloadAuthenticationConverter converter(ObjectMapper objectMapper) {
    return new JwtPayloadAuthenticationConverter(objectMapper);
  }

  @Bean
  ReactiveAuthenticationManager jwtPayloadReactiveAuthenticationManager() {
    return authentication -> {
      authentication.setAuthenticated(true);
      return Mono.just(authentication);
    };
  }

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: JohnNiang

IMO, we could customize username and password parameters if we made the AuthenticationConverter configurable, please see the setters below:

https://github.com/spring-projects/spring-security/blob/3b447b938cfcb82e31e1bb744ff59ce52427749b/web/src/main/java/org/springframework/security/web/server/ServerFormLoginAuthenticationConverter.java#L62

https://github.com/spring-projects/spring-security/blob/3b447b938cfcb82e31e1bb744ff59ce52427749b/web/src/main/java/org/springframework/security/web/server/ServerFormLoginAuthenticationConverter.java#L71