Token-based WebSocket Authentication Documentation Inaccuracy [SPR-15863]

[spring-issuemaster]

Steve Roy opened SPR-15863 and commented

The Spring documentation to register a custom websocket authentication interceptor has an inaccuracy. For custom OAuth authentication ( or any custom authentication ), the sample code indicates a security Principal should be set on the StompHeaderAccessor. However, the downstream Spring Security code expects the object set on the StompHeaderAccessor to be of type Authentication rather than Principal. ( Note, Authentication is a sub-interface of Principal. )

Documentation:
26.4.11 Token-based Authentication
http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html

Code example from documentation:

if (StompCommand.CONNECT.equals(accessor.getCommand())) {
    Principal user = ... ; // access authentication header(s)
    accessor.setUser(user);
}

Current Spring Security Code:
SecurityContextChannelInterceptor
https://github.com/spring-projects/spring-security/blob/master/messaging/src/main/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptor.java

See Line 125

Authentication authentication;
if ((user instanceof Authentication)) {
     authentication = (Authentication) user;
}
else {
     authentication = this.anonymous;
}

When setting an object of type Principal, the check fails and the security context is set to an anonymous user.

---

Reference URL: http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html

Referenced from: commits 8b64ad3, 181f002