Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Play Java: WebSocket action methods not included in action composition #11921

Closed
mkurz opened this issue Aug 18, 2023 · 0 comments · Fixed by #11933
Closed

Play Java: WebSocket action methods not included in action composition #11921

mkurz opened this issue Aug 18, 2023 · 0 comments · Fixed by #11933

Comments

@mkurz
Copy link
Member

mkurz commented Aug 18, 2023

Example controller:

@Security.Authenticated
public class HomeController extends Controller {

    // For this action, which returns a Result, the request goes through the @Security.Authenticated action first,
    // so only if authentication is successfull this index is even called.
    public Result index() {
        return ok("hello world");
    }

    // This action, which returns a WebSocket, is called directly
    // without the request going through the @Security.Authenticated action
    public WebSocket socket() {
        return WebSocket.Text.acceptOrResult(request -> /* ... */);
    }
}

So I was a bit wondering if this might be a problem in regards to security. I mean one could expect that also websocket actions should be checked by the annotation... To be fair the Java WebSocket docs explicitly mention authentication:

Sometimes you may wish to reject a WebSocket request, for example, if the user must be authenticated to connect to the WebSocket, or if the WebSocket is associated with some resource, whose id is passed in the path, but no resource with that id exists. Play provides a acceptOrResult WebSocket builder for this purpose

IMHO it would be much nicer to not be forced to implement authentication in the acceptOrResult method again if people set up annotions already. Also, e.g. when using libs like deadbolt, people can use more granular annotations for permission checks (e.g. an annotation on the WebSocket action to allow accessing only if user has permission xyz).

So I suggest, to make things easier for developers, to introduce a new config, something like play.http.actionComposition.includeJavaWebSocketActions to allow an opt in so also action annotions run for WebSocket actions. We do have some related configs already:

playframework/core/play/src/main/resources/reference.conf

Lines 113 to 121 in a3bdfd3

# Action composition configuration
actionComposition = {
# If annotations put directly on Controller classes should be executed before the ones put on action methods
controllerAnnotationsFirst = false
# If the action returned by the action creator should be executed before the action composition ones
executeActionCreatorActionFirst = false
}

Implementing this shouldn't be too hard, the place to start is between these two lines.

We should also explicitly mention in Java action composition docs that (now and, later with a fix to this issue, by default) WebSocket actions are not included in action composition (I think people might expect that).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Introduce play.http.actionComposition.includeWebSocketActions mkurz/playframework
1 participant
@mkurz