You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@Security.AuthenticatedpublicclassHomeControllerextendsController {
// For this action, which returns a Result, the request goes through the @Security.Authenticated action first,// so only if authentication is successfull this index is even called.publicResultindex() {
returnok("hello world");
}
// This action, which returns a WebSocket, is called directly// without the request going through the @Security.Authenticated actionpublicWebSocketsocket() {
returnWebSocket.Text.acceptOrResult(request -> /* ... */);
}
}
So I was a bit wondering if this might be a problem in regards to security. I mean one could expect that also websocket actions should be checked by the annotation... To be fair the Java WebSocket docs explicitly mention authentication:
Sometimes you may wish to reject a WebSocket request, for example, if the user must be authenticated to connect to the WebSocket, or if the WebSocket is associated with some resource, whose id is passed in the path, but no resource with that id exists. Play provides a acceptOrResult WebSocket builder for this purpose
IMHO it would be much nicer to not be forced to implement authentication in the acceptOrResult method again if people set up annotions already. Also, e.g. when using libs like deadbolt, people can use more granular annotations for permission checks (e.g. an annotation on the WebSocket action to allow accessing only if user has permission xyz).
So I suggest, to make things easier for developers, to introduce a new config, something like play.http.actionComposition.includeJavaWebSocketActions to allow an opt in so also action annotions run for WebSocket actions. We do have some related configs already:
We should also explicitly mention in Java action composition docs that (now and, later with a fix to this issue, by default) WebSocket actions are not included in action composition (I think people might expect that).
The text was updated successfully, but these errors were encountered:
Example controller:
So I was a bit wondering if this might be a problem in regards to security. I mean one could expect that also websocket actions should be checked by the annotation... To be fair the Java WebSocket docs explicitly mention authentication:
IMHO it would be much nicer to not be forced to implement authentication in the
acceptOrResult
method again if people set up annotions already. Also, e.g. when using libs like deadbolt, people can use more granular annotations for permission checks (e.g. an annotation on the WebSocket action to allow accessing only if user has permission xyz).So I suggest, to make things easier for developers, to introduce a new config, something like
play.http.actionComposition.includeJavaWebSocketActions
to allow an opt in so also action annotions run for WebSocket actions. We do have some related configs already:playframework/core/play/src/main/resources/reference.conf
Lines 113 to 121 in a3bdfd3
Implementing this shouldn't be too hard, the place to start is between these two lines.
We should also explicitly mention in Java action composition docs that (now and, later with a fix to this issue, by default) WebSocket actions are not included in action composition (I think people might expect that).
The text was updated successfully, but these errors were encountered: