kotlinspring-securitypostmanspring-messaging
How do I call a secure web socket using Stomp and Spring-Messaging from Postman?
I have the following demo app this includes a JWTDecoder I can add to fake real auth
@Configuration
@Profile("fake-jwt")
class FakeJwtConfig {
@Bean
fun jwtDecoder(): JwtDecoder {
return JwtDecoder { token ->
if (token != "test.token") {
throw JwtException("Invalid token")
}
Jwt.withTokenValue(token)
.header("alg", "none")
.claim("sub", "user")
.issuedAt(Instant.now())
.expiresAt(Instant.now().plusSeconds(3600))
.build()
}
}
}
and configuration to handle authorization
@Profile("secure")
@Configuration
@EnableWebSocketSecurity
class WebSocketSecurityConfig {
@Bean
fun messageAuthorizationManager(
messages: MessageMatcherDelegatingAuthorizationManager.Builder
): AuthorizationManager<Message<*>> {
messages
// Next 2 lines are required for requests without auth.
// Remove these if all paths require auth
.simpTypeMatchers(SimpMessageType.CONNECT).permitAll()
.simpTypeMatchers(SimpMessageType.DISCONNECT).permitAll()
.simpDestMatchers("/app/status").permitAll()
.simpDestMatchers("/app/hello").authenticated()
.anyMessage().authenticated()
return messages.build()
}
}
I have a couple integration tests that seem to pass as expected, however, when I try to manually call the endpoint with something like
SEND
destination:/app/hello
Authorization: Bearer test.token
{"name":"test"}
It gets access denied...
Caused by: org.springframework.security.access.AccessDeniedException: Access Denied
The ones that do not require auth seem to work fine like
SEND
destination:/app/status
{"name":"test"}
work fine so I am confused why it works with test but I can't get it to work manually?
Full project here to be clear I am using hex-encoding etc...
Solution
In Postman, you'll need to set Authorization inside headers instead of in the messages.
In your code, .oauth2ResourceServer { oauth2 -> oauth2.jwt { } } expects a valid bearer token in the Authorization header. The security context is propagated to WebSocket security as described here.
In your controller method, you can log the Authentication like this to verify it's working.
@MessageMapping("/hello")
@SendTo("/topic/greetings")
fun greeting(
message: TestMessage,
authentication: Optional<Authentication>
): Greeting {
logger.info(message.toString())
authentication.ifPresent {
logger.info("Authentication: {}", it)
}
return Greeting("Hello, ${message.name}!")
}
Log Excerpt
Logs when sending two messages after connect. Note Securing GET /ws followed by Set SecurityContextHolder to JwtAuthenticationToken.
2025-02-06T14:59:27.354+01:00 DEBUG 3224140 --- [websocket] [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Securing GET /ws
2025-02-06T14:59:27.360+01:00 DEBUG 3224140 --- [websocket] [nio-8080-exec-1] o.s.s.o.s.r.a.JwtAuthenticationProvider : Authenticated token
2025-02-06T14:59:27.361+01:00 DEBUG 3224140 --- [websocket] [nio-8080-exec-1] .s.r.w.a.BearerTokenAuthenticationFilter : Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@3d7ec21, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[]]
2025-02-06T14:59:27.363+01:00 DEBUG 3224140 --- [websocket] [nio-8080-exec-1] o.s.security.web.FilterChainProxy : Secured GET /ws
2025-02-06T14:59:36.814+01:00 DEBUG 3224140 --- [websocket] [nio-8080-exec-2] .s.m.a.i.AuthorizationChannelInterceptor : Authorizing message send
2025-02-06T14:59:36.815+01:00 DEBUG 3224140 --- [websocket] [nio-8080-exec-2] .s.m.a.i.AuthorizationChannelInterceptor : Authorized message send
2025-02-06T14:59:36.867+01:00 INFO 3224140 --- [websocket] [nboundChannel-1] e.w.controller.WebSocketController : TestMessage(name=test)
2025-02-06T14:59:36.868+01:00 INFO 3224140 --- [websocket] [nboundChannel-1] e.w.controller.WebSocketController : Authentication: JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@3d7ec21, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[]]
2025-02-06T14:59:40.626+01:00 DEBUG 3224140 --- [websocket] [nio-8080-exec-3] .s.m.a.i.AuthorizationChannelInterceptor : Authorizing message send
2025-02-06T14:59:40.626+01:00 DEBUG 3224140 --- [websocket] [nio-8080-exec-3] .s.m.a.i.AuthorizationChannelInterceptor : Authorized message send
2025-02-06T14:59:40.627+01:00 INFO 3224140 --- [websocket] [nboundChannel-4] e.w.controller.WebSocketController : TestMessage(name=test)
2025-02-06T14:59:40.627+01:00 INFO 3224140 --- [websocket] [nboundChannel-4] e.w.controller.WebSocketController : Authentication: JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@3d7ec21, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[]]
Tested and verified with code from OP.
- Unable to parse TLS packet header android studio
- Room - Not sure how to convert a Cursor to this method's return type (java.lang.Object)
- Jetpack Compose NavigationBarItem Icon
- Why ListDetailPaneScaffold needs a custom Parcelable class?
- How to convert the input format of date to a specific new format in android
- How to create the Android 13 squiggly slider using Jetpack Compose?
- Get index of all occurrences in a list
- Hilt Dependency Injection Issue: Cannot Find Symbol 'PlayerViewModel_HiltModules_BindsModule_Binds_LazyMapKey‘
- Offset Not Working in Swiper Element - Jetpack Compose
- Kotlin Type mismatch: inferred type is Int? but Int was expected
- How to avoid unnecesary recompositions due to checking a state variable?
- How to parse this rare XML structure with Retrofit?
- Spring Boot - How/Where to convert foreign key of a DTO to an Entity
- How should I go about implementing MVVM architecture pattern in my project?
- IntelliJ keeps giving cannot resolve @param in jdocs / kdocs
- How to make UI components in a Jetpack Compose project adapt properly to different mobile screen sizes?
- enableEdgeToEdge style not working in andorid 15 [AppCompatActivity]
- Property include/exclude on Kotlin data classes
- Module was compiled with an incompatible version of Kotlin. The binary version of its metadata is 1.5.1, expected version is 1.1.15
- Android Studio Kotlin duplicate class build error
- How can I just get a single field form a nested JSON object with Jackson annotations?
- How does Continuation work in Kotlin Coroutine?
- How to set a new kotlin and gradle version in React Native?
- Can a @Volatile lateinit var be atomically initialized using a DCL pattern in Kotlin?
- java.lang.IllegalAccessError: superclass access check failed: class org.jetbrains.kotlin.kapt3.base.javac.KaptJavaCompiler?
- Efficient way of Square of a Sorted Array
- Is it possible to read an NFC tag from a card without using an intent?
- How to make a text clickable in Jetpack Compose? And also toggle it to non-clickable after selecting once
- Is Kotlin "pass-by-value" or "pass-by-reference"?
- How to Align Banner Ad to bottom of screen in JetPack Compose