Add support for Reactive Spring Security

[pluttrell]

The AuthenticatingServerInterceptor uses the SecurityContextHolder.getContext().setAuthentication(authentication) which won't work for Reactive Spring Security. We believe that ReactiveSecurityContextHolder should be used instead as shown in this example.

Perhaps one option might be to place the Authentication instance in the gRPC Context only and then when needed in the Reactive context, extract it and place it in the Reactive SubscriberContext.

It'd also be great to have an example of how to set this up.

[ST-DDT]

What would be the best way to detect that reactive spring security is enabled?
Is it possible that both the normal and reactive spring security are used in the same application?

[pluttrell]

I'm not sure what the best way to detect it would be. Spring's starter might provide some clues. Perhaps the presence of an org.springframework.security.authentication.ReactiveAuthenticationManager?

Regarding having both, I believe that would be considered an error. Reactive apps need to be entirely non-blocking because if some blocking code gets executed it'll block the cores from doing other work and likely drastically impact performance. So if an app is Reactive, it must be entirely Reactive.

[ST-DDT]

Any luck with this yet?

[nickjn92]

Bump

[ST-DDT]

Can someone create a sample project that uses reactive grpc and already uses reactive-web-security (e.g. fixed basic auth credentials)?
Then I will use it to create the reactive grpc-security part.

[iosif-bancioiu]

@pluttrell @ST-DDT

Hi, are there any updates on this topic? I'm interested as well.