Ask questionsAdd Auto-configuration for RSocket Security

Spring Boot should autoconfigure RSocket Security

  • It should automatically apply @EnableRSocketSecurity
  • Conditionally create a MapReactiveUserDetailsService with secure random password as it does for WebFlux
  • It should automatically apply Spring Security to ServerRSocketFactory
ServerRSocketFactoryCustomizer springSecurityRSocketSecurity(SecuritySocketAcceptorInterceptor interceptor) {
	return builder -> builder.addSocketAcceptorPlugin(interceptor);

Answer questions joshlong


Having resolvers would be a very nice addition in Spring Framework. But I only want to use @AuthenticatedPrincipal to inject the currently authenticated principal into my @MessageMapping-annotated handlers. It's what I would expect when using Spring MVC or WebFlux. This just works in those frameworks.

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

public class DemoApplication {

	static class HelloController {

		String hello(@AuthenticationPrincipal UserDetails userDetails) {
			return "hello, " + userDetails.getUsername() + "!";

	MapReactiveUserDetailsService authentication() {
		var jlong = User.withDefaultPasswordEncoder().username("jlong").password("pw").roles("USER").build();
		return new MapReactiveUserDetailsService(jlong);

	public static void main(String[] args) {, args);


It's also preferable to using ReactiveSecurityContextHolder.getContext().map(auth -> ...).

So, until the more elegant custom resolvers and @EnableRSocket machinery lands in Spring Framework, could we please add a bean to the Spring Boot autoconfiguration, like the following:

RSocketMessageHandler messageHandler(RSocketStrategies strategies) {
 var rmh = new RSocketMessageHandler();
 rmh.getArgumentResolverConfigurer().addCustomResolver(new AuthenticationPrincipalArgumentResolver());
 return rmh;

As far as I understand it, nothing would break for the user, and - in addition, this would allow Spring Security to work better? And, if we're worried, I guess users could opt-out (but I would argue it should be enabled by default) with some sort of configuration property?


Related questions

Dependency resolution fails with Gradle 5.3.x to 5.6.x hot 4
Controller annotated with @Timed and active TimedAspect clashes with WebMvcMetricsFilter hot 2
Actuator: NPE in LongTaskTimingHandlerInterceptor hot 2
ConfigurationProperties with constructor binding cannot be mocked hot 2
NoClassDefFoundError: net/bytebuddy/NamingStrategy$SuffixingRandom$BaseNameResolver hot 2
Deadlock between BackgroundPreinitializer and main thread in Spring Cloud Config Server hot 2
spring boot Servlet.service() for servlet [dispatcherServlet] in context with path threw exception hot 2
Migrating OAuth2 from Spring Boot 1.5 to 2.0 Broken hot 2
Replace deprecated MediaType.APPLICATION_JSON_UTF8 usage hot 2
Classloading problems with Spring Boot, JDK11 and Security Manager hot 1
java.lang.NullPointerException: null occurs in HttpExchangeTracer hot 1
Multiple data source projects cannot be started hot 1
get error messag Could not fetch the SequenceInformation from the database, hibernate_sequence doesn't exist hot 1
HttpTraceFilter bean missing hot 1
A java.lang.NoClassDefFoundError: ch/qos/logback/classic/spi/ThrowableProxy was thrown when killing my app hot 1
Github User Rank List