Skip to content

Commit

Permalink
Minor refactoring in STOMP documentation
Browse files Browse the repository at this point in the history 
Closes gh-27906
  • Loading branch information
@rstoyanchev
rstoyanchev committed Jan 12, 2022
1 parent 7665424 commit 01231fe
Showing 1 changed file with 17 additions and 13 deletions.
30 changes: 17 additions & 13 deletions src/docs/asciidoc/web/websocket.adoc
View file
Expand Up @@ -1724,19 +1724,11 @@ HTTP session (which is then associated with WebSocket or SockJS sessions created
for that user) and results in a user header being stamped on every `Message` flowing
through the application.

Note that the STOMP protocol does have `login` and `passcode` headers
on the `CONNECT` frame. Those were originally designed for and are still needed,
for example, for STOMP over TCP. However, for STOMP over WebSocket, by default,
Spring ignores authorization headers at the STOMP protocol level, assumes that
the user is already authenticated at the HTTP transport level, and expects that
the WebSocket or SockJS session contain the authenticated user.

NOTE: Spring Security provides
https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
Also, Spring Session provides
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
that ensures the user's HTTP session does not expire while the WebSocket session is still active.
The STOMP protocol does have `login` and `passcode` headers on the `CONNECT` frame.
Those were originally designed for and are needed for STOMP over TCP. However, for STOMP
over WebSocket, by default, Spring ignores authentication headers at the STOMP protocol
level, and assumes that the user is already authenticated at the HTTP transport level.
The expectation is that the WebSocket or SockJS session contain the authenticated user.



Expand Down Expand Up @@ -1814,6 +1806,18 @@ its own implementation of `WebSocketMessageBrokerConfigurer` that is marked with



[[websocket-stomp-authorization]]
=== Authorization

Spring Security provides
https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
Also, Spring Session provides
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
that ensures the user's HTTP session does not expire while the WebSocket session is still active.



[[websocket-stomp-user-destination]]
=== User Destinations

Expand Down

0 comments on commit 01231fe

Please sign in to comment.