保护基于Spring消息传递的websocket服务 [英] Securing a Spring messaging based websocket service

问题描述

我正在研究这个问题已有3个星期没有真正的解决方案，我真的希望你能帮助我。

I am working on this for 3 weeks now without a real solution and I really hope you can help me out.

项目背景：

• 使用基于JavaScript / PHP的客户端的Webapp通过SocksJS发送消息并将消息踩到门

• Webapp with a JavaScript/PHP based Client sends via SocksJS and Stomp a message to a "gate"

门是用Java / Spring编写的，使用@SendTo和@MessageMapping发送和接收消息

The gate is written in Java/Spring and uses @SendTo and @MessageMapping to send and recieve messages

来自门被发送到RabbitMQ并通过messageBrokerRegistry.enableStompBrokerRelay返回客户端

The messages from the gate are sent to RabbitMQ and back to the client via "messageBrokerRegistry.enableStompBrokerRelay"

到目前为止它的工作原理，消息被送回的人。

So far it works, messages being sent are coming back.

现在高级证券部分：

• 消息应该通过包含用户和内容的cookie来保护...

据我所知，WebSockets本身不支持安全性。您必须像使用BASIC auth或类似的常用webapp一样保护您的webapp。所以我添加了一个servlet过滤器，其中包含一个扩展GenericFilterBean的类。如果用户发送了正确的cookie页面加载，否则他会收到403错误。

WebSockets themselves dont support security as far as I understood. You have to secure your webapp just like a "common" webapp with BASIC auth or some like that. So I added a servlet filter with a class extending GenericFilterBean. If the user sent the correct cookie the page loads, else he gets a 403 error.

现在出现了问题：

由于@SendTo向所有订阅者发送消息而@SendToUser似乎只将其发送到一个会话，因此我倾向于使用@SendToUser。但似乎无法选择要创建的rabbitMQ队列。我想要一些像/ myqueue-user-123。 @SendToUser无法做到这一点，因为生成的队列是随机的，并且基于SessionID，我无法覆盖。

Due to the fact that @SendTo sends messages to all subscribers and @SendToUser seems to send it just to one session I tend to use @SendToUser. BUT there seems no way to chose a rabbitMQ queue to be created. I want some like "/myqueue-user-123". This is not possible with @SendToUser, because the generated queue is random and based on the SessionID, which I could not override.

所以我尝试过（我尝试除了拦截器，事件等之外的其他东西），使用没有值的@SendTo，以便客户端可以决定队列它必须发送给。

So what I tried (and i tried LOADS of stuff besides interceptors, events and so on), is using @SendTo without a value so that the client can decide the queue it has to send to.

我现在需要的是评估cookie中的用户是否与/ myqueue / user-123相关联。如果不是，请不要向他发送消息。阻止他订阅。断开他，无论如何。

What I need now is to evaluate that the user from the cookie correlates with "/myqueue/user-123". And if NOT, DO NOT SEND the message to him. Stop him from subscribing. Disconnect him, whatever.

但在我看来，你绝不可以
- 停止发送消息，只是拦截以记录它们而不是alter
- 断开websocket，因为它会自动尝试重新连接
- 抛出异常，因为订阅无论如何都会继续（事件只是事件，而不是干扰）。

But it seems to me that you can in no way - stop messages from being sent, just "intercept" to log them not alter - disconnect a websocket because it automatically tries reconnecting - throw exceptions because the subscribe suceeds anyways (events are just events, not something to interfere).

我会非常感谢任何建议或提示。因为我完全被困在这里......

I would be really thankful for any advice or tip. Because I am totally stuck here...

推荐答案

我理解你的痛苦，我花了两天时间试图了解春天的安全问题关于WebSocket。

I understand your pain, i spend two days trying to understand the spring security mess concerning WebSocket.

Websocket不要正式支持一种认证的方式，但是，spring-security确实如此（或多或少） ）。

Websocket dont officially support a way to authenticate, however, spring-security does (more or less).

我建议您在WebSocket级别进行身份验证，而不是在HTTP，WebSocket（和stomp）的大多数JavaScripts库都不会随HTTP一起发送标头握手。

I would advice you to authenticate at WebSocket level, not at HTTP, most of JavaScripts library for WebSocket (and stomp) don't sends headers along with the HTTP handshake.

您将找到有关如何在WebSocket级别进行身份验证的详细指南此处。在上面的示例中，我使用Websocket Headers值来验证我的客户端，您可以将cookie值放在这些头中，或者用localstorage替换cookie。

You'll find a detailed guide on how to authenticate at the WebSocket level here. In the above example, i used Websocket Headers values to authenticate my clients, you can put your cookie value in these headers, or replace the cookie by localstorage.

使用此方法您可以在控制器中访问 Principal ，这可以解决SendToUser问题。

Using this method you'll have access to the Principal in your controllers, this should solve the SendToUser issue.

这篇关于保护基于Spring消息传递的websocket服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！