I'm trying to use Spring Security with websockets. As an example I'm using spring-websocket-chat (https://github.com/salmar/spring-websocket-chat) — demo application from talk "Deep dive into websockets". In that application CookieHttpSessionStrategy uses for storing session id, stored during authentication cookie is sending with /info request. Here are code that demonstrates connecting to server via sockjs (this request sends cookies) https://github.com/salmar/spring-websocket-chat/blob/master/src/main/webapp/js/services.js. I wrote my own client that uses sockjs and stomp but there are no cookies sending during /info request. Here are my code
$connectButton.click(function () {
var serverHost = $host.val();
console.log("sockjs created");
stomp = Stomp.over(new SockJS(serverHost));
console.log("stomp over");
stomp.connect({},
function () {
console.log("connected");
},
function () {
console.log("error");
})
console.log("pressed");
});
As far as I know you cannot pass cookies to SockJS (especially with Same-origin policy). However with the latest SockJS 1.0.3 you can pass query parameters as a part of connection URL. Thus you can send some JWT token to authorize a session.
var socket = new SockJS('http://localhost/ws?token=AAA');
var stompClient = Stomp.over(socket);
stompClient.connect({}, function(frame) {
stompClient.subscribe('/topic/echo', function(data) {
// topic handler
});
}
}, function(err) {
// connection error
});
Now all the requests related to websocket will have parameter "?token=AAA"
http://localhost/ws/info?token=AAA&t=1446482506843
http://localhost/ws/515/z45wjz24/websocket?token=AAA
Then with Spring you can setup some filter which will identify a session using provided token.
PS cookies are picked up automatically when same origin for UI and server.