在Spring中使用STOMP和WebSocket向特定用户发送消息时检查身份验证 [英] Check auth while sending a message to a specific user by using STOMP and WebSocket in Spring

问题描述

我正在使用 Message Broker 和 STOMP 在 WebSocket .

我希望能够根据其用户名向特定用户发送消息. 为了实现此目标，我使用了org.springframework.messaging.simp.SimpMessagingTemplate类的convertAndSendToUser方法，如下所示:

I would like to be able to send messages to a specific user, according with his username. In order to achieve this goal, I'm using the convertAndSendToUser method of org.springframework.messaging.simp.SimpMessagingTemplate class, as follows:

private final MessagingTemplate messagingTemplate;

@Autowired
public LRTStatusListener(SimpMessagingTemplate messagingTemplate) {
    this.messagingTemplate = messagingTemplate;
}


@Scheduled(fixedDelay=5000)
public void sendMessages(Principal principal)
    messagingTemplate
        .convertAndSendToUser(principal.getName(), "/horray", "Horray, " + principal.getName() + "!");
}

作为配置:

@Configuration
@EnableScheduling
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {

    @Override
    public void registerStompEndpoints(StompEndpointRegistry registry) {
        registry.addEndpoint("/notifications").withSockJS();
    }

    @Override
    public void configureMessageBroker(MessageBrokerRegistry registry) {
        registry.enableSimpleBroker("/topic", "/queue", "/user");
    }

}

在客户端(通过 JavaScript )，我应该通过指定用户名来订阅频道(根据另一个非常相似的问题:

Client-side (via JavaScript), I should subscribe to a channel by specifing the username (according with another very similar question: Sending message to specific user on Spring Websocket).

stompClient.subscribe('/user/' + username + '/horray, ...) 

这最后一点听起来很奇怪...

This last point sounds weird...

假设我通过以下方式在我的Web应用程序上以 w.white 身份登录:

Supposing that I'm logged as w.white on my webapp, by subscribing:

stompClient.subscribe('/user/w.white/horray, ...)

...我将能够看到发送到 w.white 的消息，这真棒...但是订阅:

... I will be able to see messages sent to w.white, and this is awesome... But subscribing:

stompClient.subscribe('/user/j.pinkman/horray, ...)

......我也将看到发送给 j.pinkman 的消息，尽管我目前以 w.white 身份登录.

... I will be able to see also messages sent to j.pinkman, despide that I'm currently logged as w.white.

这是解决这个问题的方法吗?

It is a way to overcome this problem?

下面是有关通过WebSocket进行连接的日志:

Below there is the log about the connection over WebSocket:

Opening Web Socket... 
Web Socket Opened... 
>>> CONNECT
accept-version:1.1,1.0
heart-beat:10000,10000

<<< CONNECTED
user-name:w.white
heart-beat:0,0
version:1.1

connected to server undefined
Connected: CONNECTED
version:1.1
heart-beat:0,0
user-name:w.white

>>> SUBSCRIBE
id:sub-0
destination:/topic/lrt

>>> SUBSCRIBE
id:sub-1
destination:/user/lrt

推荐答案

我找到了解决方案.

首先，重要的是要知道/user频道已经由 Spring STOMP 管理，而且，不需要注册.

First of all, it is important to know that the /user channel is already managed by Spring STOMP, and by the way, no registration is required.

所以:

@Override
public void configureMessageBroker(MessageBrokerRegistry registry) {
    registry.enableSimpleBroker("/topic", "/queue");
}

然后，我将目标频道设置为/queue/horray:

Then, I setup the destination channel as /queue/horray:

@Scheduled(fixedDelay=5000)
public void sendMessages(Principal principal)
    messagingTemplate
        .convertAndSendToUser(principal.getName(), "/queue/horray", "Horray, " + principal.getName() + "!");
}

最后，在客户端上:

stompClient.subscribe('/user/queue/horray', '...');

现在，它可以正常工作！根据安全上下文获取的Principal，消息仅发送到指定的收件人.

Now, it works fine! Messages are sent only to the specified recipient, according to the Principal fetched by the security context.

这篇关于在Spring中使用STOMP和WebSocket向特定用户发送消息时检查身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！