Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Spring WebSockets should support token-based authentication [SPR-14690] #19254
There seems to be an inconsistency in the way Spring Messaging WebSocket is implemented and reality, when using token based authentication.
From the discussion on issue #17761 it is clear that Spring expects the authentication to be done during the HTTP message that establishes the web socket. This is fine for cookie-based auth, but when one is using a token, the token cannot be sent to the server in the headers, because SockJS does not support this (because browsers do not support it). See: sockjs/sockjs-client#196.
Now, one has two options: 1) send the token in a query parameter (which has some security issues), or 2) as suggested in #17761, configure a
The first approach, besides having security issues with server-side logging of the token and possible referral leaks, does not seem to work for SockJS fallbacks -- for fallbacks, the
The second approach works well up to a point: Spring Security sees the Principal set here and sets the security context properly (awesome!). However, the Principal is never set in the websocket session, and so it is not possible to send messages to a specific user, because Spring cannot tie the username to a session id.
1 votes, 5 watchers
Karthik Astra commented
In the backend code, i have
but i am not receiving the messageResponseInfo in the client side
Rossen Stoyanchev commented
Raman Gupta, the
accessor = MessageHeaderAccessor.getAccessor(message, StompHeaderAccessor.class); accessor.setUser(user);
The mutability is explained in the MessageHeaderAccessor Javadoc. When a WebSocket message is decoded into a Spring
That said I do intend to experiment with providing a more explicit mechanism for doing this.