1

Spring Security is very nice framework widely used for Authentication & Authorization.

I have a requirement in which the application to be authenticated using j_spring_security_check, and only authorized users can make request to websocket handler.

I have configured spring security as per http://malalanayake.wordpress.com/2014/06/27/spring-security-on-rest-api/

And I have configured websocket as per http://syntx.io/using-websockets-in-java-using-spring-4/.

I want MyPrincipal principal object to be accessed from handleTextMessage handler as per below:

    @Override
    protected void handleTextMessage(WebSocketSession session,
            TextMessage message) throws Exception {
        System.out.println("Protocol: "+session.getAcceptedProtocol());
        TextMessage returnMessage = new TextMessage(message.getPayload()
                + " received at server");
        System.out.println("myAttrib="
                + session.getAttributes().get("myAttrib"));
        MyPrincipal user = (MyPrincipal) ((Authentication) session
                .getPrincipal()).getPrincipal();
        System.out.println("User: " + user.getUserId());
        session.sendMessage(returnMessage);
    }

Please replay ASAP.

Prakash Bhagat
  • 1,406
  • 16
  • 30

2 Answers2

2

Adding HttpSessionHandshakeInterceptor in websocket configuration allows to pass spring security principal object from SpringSecurityContext to WebsocketSession

EDIT: HandshakeInterceptor.java

public class HandshakeInterceptor extends HttpSessionHandshakeInterceptor{

    @Override
    public boolean beforeHandshake(ServerHttpRequest request,
            ServerHttpResponse response, WebSocketHandler wsHandler,
            Map<String, Object> attributes) throws Exception {
        System.out.println("Before Handshake");
        return super.beforeHandshake(request, response, wsHandler, attributes);
    }

    @Override
    public void afterHandshake(ServerHttpRequest request,
            ServerHttpResponse response, WebSocketHandler wsHandler,
            Exception ex) {
        System.out.println("After Handshake");
        super.afterHandshake(request, response, wsHandler, ex);
    }

}

websocket.xml

<bean id="websocket" class="co.syntx.example.websocket.handler.WebsocketEndPoint"/>

<websocket:handlers>
    <websocket:mapping path="/websocket" handler="websocket"/>
    <websocket:handshake-interceptors>
    <bean class="co.syntx.example.websocket.HandshakeInterceptor"/>
    </websocket:handshake-interceptors>
</websocket:handlers>
Prakash Bhagat
  • 1,406
  • 16
  • 30
  • I want to pass the spring security principal to WebSocket, I added HandShakeInterceptor in my code but it still threw 401 error. I don't have a websocket.xml file, how to configure it or can this do in code? – Dave Pateral Feb 15 '17 at 07:48
  • add @Component annotation to the class. Assuming you don't have xml - you have component scan from some spring configuration annotation or smth; if you talk about how to configure websocket - there are special tutorials (there is entire class of actions) – Andrii Plotnikov Apr 07 '17 at 10:24
1

Make sure you secured your WebSocket Endpoint with Spring Security and did the login. (401 if not done.)

Testet with 3.2.7 and 4.0.2.RELEASE

Both versions have:

  • session.getPrincipal() <-- a value here

  • SecurityContextHolder.getContext().getAuthentication() <-- null here

    @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected void configure(HttpSecurity http) throws Exception {
    http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
        .and()
        .httpBasic().and()
        .authorizeRequests()
Paul
  • 193
  • 1
  • 8
  • I got a 401 error when websocket client connects to server with spring security, how to secure the endpoint. Could you describe in detail please? – Dave Pateral Feb 15 '17 at 07:44