Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Recently I met some trouble things, this problem bothered me for a month, I don't know how to solve, online also can't find any relevant information, I'm going crazy. I didn't set the http header, it may be spring security default filter make settings?

org.springframework.web.reactive.function.server.DefaultServerResponseBuilder.AbstractServerResponse#writeTo org.springframework.web.reactive.function.server.DefaultServerResponseBuilder.AbstractServerResponse#writeStatusAndHeaders org.springframework.web.reactive.function.server.DefaultServerResponseBuilder.AbstractServerResponse#copy

Here is my code sample. code sample

java.lang.UnsupportedOperationException: null at org.springframework.http.ReadOnlyHttpHeaders.putAll(ReadOnlyHttpHeaders.java:138) ~[spring-web-6.0.11.jar:6.0.11] Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: ...

@Override
public Mono<Void> filter(@NonNull ServerWebExchange exchange, WebFilterChain chain) {
    return chain.filter(exchange)
        .contextWrite(context -> context.put(ServerHttpRequest.class, exchange.getRequest()));
@Bean
public SecurityWebFilterChain serverHttpSecurity(ServerHttpSecurity security,
                                             ReactiveAuthenticationManager authenticationManager,
                                             JwtConfigProperties jwtConfigProperties) {
    return security
        .headers(ServerHttpSecurity.HeaderSpec::disable)
        .csrf(ServerHttpSecurity.CsrfSpec::disable)
        .httpBasic(ServerHttpSecurity.HttpBasicSpec::disable)
        .formLogin(ServerHttpSecurity.FormLoginSpec::disable)
        .logout(ServerHttpSecurity.LogoutSpec::disable)
        .authenticationManager(authenticationManager)
        .securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
        .addFilterAt(new JwtAuthenticationFilter(jwtConfigProperties), SecurityWebFiltersOrder.FIRST)
        .authorizeExchange(authorize -> authorize
            .anyExchange().permitAll()
        .build();
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
    return Mono.fromCallable(exchange::getRequest)
        .mapNotNull(sink -> sink.getHeaders().getFirst(HttpHeaders.AUTHORIZATION))
        .filter(sink -> sink.startsWith("Bearer "))
        .map(sink -> sink.substring("Bearer ".length()))
        .filter(StringUtils::hasText)
        .filter(sink -> JWTUtil.verify(sink, jwtConfigProperties.getSecret().getBytes()))
        .map(JWT::of)
        .map(sink -> {
            var username = sink.getPayload(RegisteredPayload.SUBJECT).toString();
            var principal = User.withUsername(username)
                .password("rob")
                .build();
            return new UsernamePasswordAuthenticationToken(principal, sink);
        .flatMap(sink -> chain.filter(exchange)
            .contextWrite(ReactiveSecurityContextHolder.withAuthentication(sink))
        .switchIfEmpty(chain.filter(exchange));
@PreAuthorize("isFullyAuthenticated()")
public Mono<String> test2() {
    return Mono.just("test2");
                i hope you are aware that using JWTs as a session holder like you are doing here is discouraged, oauth2 has deprecated what is called the implicit flow, and JWTs were never designed to be used as sessions. It was designed to be used between microservices and not between browser and apis. Thats why there is no implementation for it in spring security.
– Toerktumlare
                Sep 19, 2023 at 19:15
                also adding this line .subscribeOn(Schedulers.boundedElastic()) sort of removes everything reactive with your code, and your entire code will fallback to a standard webserver and not a reactive webserver.
– Toerktumlare
                Sep 19, 2023 at 19:17
                Thank you, maybe you are right. This is just a code example. Assuming JWT is used between browser and API, I don't know which step DefaultFilter Spring Security has a problem. Perhaps it is Spring WebFlux PutAll ReadOnlyHttpHeaders. I have never set Http header. Now I can think of the idea of using reflection to modify the writable state of ReadOnlyHttpHeaders. I don't know if there are any other better solutions, this problem has troubled me for more than a month, and I am going crazy now :)
– Muscidae
                Sep 20, 2023 at 2:16
                UnsupportedOperationException will happen when curl Http:// 127.0.0.1:8080/test/test2 is executed in the case code. The reason may be that the Spring security defaultFilter add httpHeader causes an exception in ReadOnlyHttpHeaders#putAll, or it may be DefaultServerResponseBuilder.AbstractServerResponse#writeTo I don't know where the problem is at present? Perhaps it is possible to modify the Response HttpHeader permissions by reflection to be writable? I would like to know if there are any other solutions, perhaps I am using Spring security Filter in the wrong order: (
– Muscidae
                Sep 20, 2023 at 4:26
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.