适用于多个用户的Spring websocket安全性 [英] Spring websocket security for multiple users
问题描述
我想在spring应用程序中使用websocket进行联系请求。我已经为用户设置了登录页面,我使用了spring security。我的问题如下:如何安全地向两个不同的用户发送Web套接字消息。
I want to use websocket in spring application for contact requests. I already have setup login page for users and I use spring security for that. My problem is following: how to securely send web socket messages to two different users.
我知道我可以用<$ c向每个订阅某个主题的用户广播消息$ c> @SendTo()并且只能通过类似
I know that i can broadcast messages to every user subscribed to some topic with @SendTo() and can broadcast message to one user only with something like
messagingTemplate
.convertAndSendToUser(principal.getName(), "/queue/requests", request);
因为他的用户名存储在本金中。
because his username is stored in principal.
我的问题是如何处理我们必须从请求中定位2个用户并使其安全,以便您无法在未经授权的情况下从客户端收听任何频道。
My problem is how to handle when we have to target 2 users from a request and make it secure so that you cant just listen to any channels from client side without being authorized.
理想情况下,我正在寻找类似
Ideally I'm looking for something like
messagingTemplate
.convertAndSendToUser(request.getFromUser(), "/queue/requests", request)
messagingTemplate
.convertAndSendToUser(request.getToUser(), "/queue/requests", request)
推荐答案
Spring WebSocket句柄/用户频道,所以我使用那些方法
Spring WebSocket handles /user channel, so I used those methods
这就是我解决这个问题的方法:
This is how I solved this problem:
当用户使用Spring Security进行身份验证时,WebSocket模块根据他的Principal为该用户创建唯一的渠道。示例/ user / queue / position-updates已转换为/ queue / position-updates-user123
When user authenticates with Spring Security, WebSocket module creates unique channel for that user based on his Principal. Example "/user/queue/position-updates" is translated to "/queue/position-updates-user123"
所以在客户端,所有我必须做的,是订阅 / user / queue / requests
So on the client side all I had to do, was subscribe to /user/queue/requests
在服务器端,使用<$ c $向 / user / {username} / queue / requests 发送消息c> convertAndSendToUser(request.getFromUser(),/ queue / requests,request),Spring处理剩下的工作。
And on the server side, send messages to /user/{username}/queue/requests with convertAndSendToUser(request.getFromUser(), "/queue/requests", request) and Spring handles the rest.
这篇关于适用于多个用户的Spring websocket安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
