Search code examples
javaspringsecuritywebsocketsockjs

How to use Spring Security with Spring Websocket support but without STOMP?

I'm currently Building a web application that uses Spring to leverage websocket Support and security. The thing is, I don't want to use STOMP. It has not been updated for about 4 yours now and I don't need it. So I followed the answer to another Stackoverflow question to configure Spring for websockets with SockJS but without STOMP.

Now I want to integrate Spring Security for websocket authentication and authorisateion. Unfortunately the documentation is bound to configure Spring Security for STOMP-websockets.

I would highly appreciate any help with configuring Spring Security for my case. Does someone maybe know any tutorial or example for that? I did not find any yet.

Solution

  • Websocket messaging session starts with a Http request , therefore spring security can be used as it's a framework for securing http requests. In spring security authenticated user and its associated security context are stored in session. Authenticated is accessible from Websocket handshake because it transports http request. Spring Websocket defines HttpSessionHandshakeInterceptor which can be registred in your configuration using addInterceptors method

        @EnableWebSocket
    @Configuration
    public class WebSocketConfig implements WebSocketConfigurer {
    @Override
    public void registerWebSocketHandlers(WebSocketHandlerRegistry 
       webSocketHandlerRegistry) {
    webSocketHandlerRegistry.addHandler(createHandler(), 
    "/handler").addInterceptors(new HttpSessionHandshakeInterceptor() 
      {
        @Override
        public void afterHandshake(ServerHttpRequest request, 
         ServerHttpResponse response, WebSocketHandler wsHandler, 
         @Nullable Exception ex) {

            super.afterHandshake(request, response, wsHandler, ex);

        }

        @Override
        public boolean beforeHandshake(ServerHttpRequest request, 
         ServerHttpResponse response, WebSocketHandler wsHandler, 
          Map<String, Object> attributes) throws Exception {
            boolean b = super.beforeHandshake(request, response, 
         wsHandler, attributes) && 
      ((UsernamePasswordAuthenticationToken) 
    request.getPrincipal()).isAuthenticated();
            return b;
        }
         }).withSockJS();
    }

     @Bean
     public WebSocketHandler createHandler() {

    return new MyHandler();

    }
   }

    you can also verify authenticated use at Handler which is stored in websocket session