使用 spring-security 保护 Spring-Webscoket 并从 websocket 消息访问主体 [英] Secure Spring-Webscoket using spring-security and access principal from websocket message

问题描述

Spring Security 是一个非常好的框架，广泛用于身份验证 &授权.

Spring Security is very nice framework widely used for Authentication & Authorization.

我要求使用 j_spring_security_check 对应用程序进行身份验证，并且只有授权用户才能向 websocket 处理程序发出请求.

I have a requirement in which the application to be authenticated using j_spring_security_check, and only authorized users can make request to websocket handler.

我已经按照 http://malalanayake.wordpress.com/2014/06/27/spring-security-on-rest-api/

我已经按照 http://syntx 配置了 websocket.io/using-websockets-in-java-using-spring-4/.

我希望从 handleTextMessage 处理程序访问 MyPrincipal 主体对象，如下所示:

I want MyPrincipal principal object to be accessed from handleTextMessage handler as per below:

    @Override
    protected void handleTextMessage(WebSocketSession session,
            TextMessage message) throws Exception {
        System.out.println("Protocol: "+session.getAcceptedProtocol());
        TextMessage returnMessage = new TextMessage(message.getPayload()
                + " received at server");
        System.out.println("myAttrib="
                + session.getAttributes().get("myAttrib"));
        MyPrincipal user = (MyPrincipal) ((Authentication) session
                .getPrincipal()).getPrincipal();
        System.out.println("User: " + user.getUserId());
        session.sendMessage(returnMessage);
    }

请尽快重播.

推荐答案

在 websocket 配置中添加 HttpSessionHandshakeInterceptor 允许将 spring 安全主体对象从 SpringSecurityContext 传递到 WebsocketSession

Adding HttpSessionHandshakeInterceptor in websocket configuration allows to pass spring security principal object from SpringSecurityContext to WebsocketSession

HandshakeInterceptor.java

public class HandshakeInterceptor extends HttpSessionHandshakeInterceptor{

    @Override
    public boolean beforeHandshake(ServerHttpRequest request,
            ServerHttpResponse response, WebSocketHandler wsHandler,
            Map<String, Object> attributes) throws Exception {
        System.out.println("Before Handshake");
        return super.beforeHandshake(request, response, wsHandler, attributes);
    }

    @Override
    public void afterHandshake(ServerHttpRequest request,
            ServerHttpResponse response, WebSocketHandler wsHandler,
            Exception ex) {
        System.out.println("After Handshake");
        super.afterHandshake(request, response, wsHandler, ex);
    }

}

websocket.xml

<bean id="websocket" class="co.syntx.example.websocket.handler.WebsocketEndPoint"/>

<websocket:handlers>
    <websocket:mapping path="/websocket" handler="websocket"/>
    <websocket:handshake-interceptors>
    <bean class="co.syntx.example.websocket.HandshakeInterceptor"/>
    </websocket:handshake-interceptors>
</websocket:handlers>

这篇关于使用 spring-security 保护 Spring-Webscoket 并从 websocket 消息访问主体的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！