The Spring documentation to register a custom websocket authentication interceptor has an inaccuracy. For custom OAuth authentication ( or any custom authentication ), the sample code indicates a security Principal should be set on the StompHeaderAccessor. However, the downstream Spring Security code expects the object set on the StompHeaderAccessor to be of type Authentication rather than Principal. ( Note, Authentication is a sub-interface of Principal. )
spring-projects-issues commentedAug 14, 2017
Steve Roy opened SPR-15863 and commented
The Spring documentation to register a custom websocket authentication interceptor has an inaccuracy. For custom OAuth authentication ( or any custom authentication ), the sample code indicates a security Principal should be set on the StompHeaderAccessor. However, the downstream Spring Security code expects the object set on the StompHeaderAccessor to be of type Authentication rather than Principal. ( Note, Authentication is a sub-interface of Principal. )
Documentation:
26.4.11 Token-based Authentication
http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html
Code example from documentation:
Current Spring Security Code:
SecurityContextChannelInterceptor
https://github.com/spring-projects/spring-security/blob/master/messaging/src/main/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptor.java
See Line 125
When setting an object of type Principal, the check fails and the security context is set to an anonymous user.
Reference URL: http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html
Referenced from: commits 8b64ad3, 181f002
The text was updated successfully, but these errors were encountered: