Subscription Authentication

[erdunning]

Is there a way to intercept the connection params when a web socket connection is established? We are trying to figure out a way to pass our auth token from our client to secure our /subscriptions end point but I don't see a way to read the connection params from anywhere. Thanks!

[IdealOutage]

For anyone else with this issue, we tackled it using the Bearer Token as a URL parameter and a Filter, as mentioned here: #450 (comment)

In particular, in our SecurityFilterChain we add the following filter:

http.addFilterBefore(subscriptionURLParameterTokenFilter(), BearerTokenAuthenticationFilter.class)
       ...

Our subscriptionURLParameterTokenFilter is

private static Filter subscriptionURLParameterTokenFilter() {
    return (servletRequest, servletResponse, filterChain) -> {
        // if we have a HttpServletRequest to our /subscription endpoint
        if (servletRequest instanceof HttpServletRequest httpRequest
                && httpRequest.getRequestURL().toString().endsWith("/subscriptions")) {

            // create a mutable server request to which we can add the header
            MutableHttpServletRequest mutableRequest = new MutableHttpServletRequest(httpRequest);

            // get token parameter from url
            String[] tokens = httpRequest.getParameterMap().get("token");
            // if we have a token, add it as an Authorization header
            if (Objects.nonNull(tokens) && tokens.length > 0) {
                mutableRequest.putHeader("Authorization", String.format("Bearer %s", tokens[0]));
            }

            filterChain.doFilter(mutableRequest, servletResponse);
            return;
        }

        filterChain.doFilter(servletRequest, servletResponse);
    };
}

Finally, to be able to add custom headers we need a MutableHttpServletRequest which looks as follows:

class MutableHttpServletRequest extends HttpServletRequestWrapper {
    private final Map<String, String> headers;

    public MutableHttpServletRequest(HttpServletRequest request) {
        super(request);
        this.headers = new HashMap<>();
    }

    public void putHeader(String name, String value) {
        this.headers.put(name, value);
    }

    @Override
    public String getHeader(String name) {
        return headers.getOrDefault(name, ((HttpServletRequest) getRequest()).getHeader(name));
    }

    @Override
    public Enumeration<String> getHeaderNames() {
        Set<String> set = new HashSet<>(this.headers.keySet());
        set.addAll(Collections.list(((HttpServletRequest) getRequest()).getHeaderNames()));
        return Collections.enumeration(set);
    }
}