13

I am currently trying to setup HTTPS in my spring boot 1.2 application. This application uses a lot of websockets to communicate between two servers. When it is running on simple HTTP everything works fine but when I switch it over to HTTPS I get a 403 Forbidden error on both Firefox and Chrome (Haven't tested it on IE.) I have a SimpleCORSFilter setup that accepts all connections so I don't think that is the problem. All of the RESTful requests over HTTPS to the same server work, its just websockets that seem to be blocked.
Here is my WebSocket Spring Configuration

@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends        
    AbstractWebSocketMessageBrokerConfigurer {
    @Override
    public void configureMessageBroker(MessageBrokerRegistry config) {
        config.enableSimpleBroker("/topic");
        config.setApplicationDestinationPrefixes("/app");
    }
    @Override
    public void registerStompEndpoints(StompEndpointRegistry registry) {
        registry.addEndpoint("/simulation").withSockJS();
    }
}

Here is my front end websocket connection

   socket = new SockJS(https://my.url + '/simulation');
   stompClient = Stomp.over(socket);
   stompClient.debug = false;
   stompClient.connect({}, function(frame) {
        stompClient.subscribe('/topic/', function(status){
                  // Do something with result
        });
   });

EDIT: This is the error in the Chrome Console

GET https://localhost:8090/simulation/info 403 (Forbidden)
stomp.js:8 Whoops! Lost connection to undefined

EDIT 2: This error seems to be a side effect of upgrading recently from spring boot 1.1 to spring boot 1.2. I will update when I pinpoint which one of the dependencies is causing the error.

Jake C.
  • 277
  • 1
  • 3
  • 10

1 Answers1

23

Try this:

@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
    registry.addEndpoint("/simulation").setAllowedOrigins("*").withSockJS();
}

Be advised that allowing origin to all sources could impose Cross-Site Request Forgery. Refer to https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) for ways to defend against it.

Harry Cho
  • 2,309
  • 4
  • 20
  • 28
  • Is needed something else? I'm trying this with grails 3.0.9 and grails-spring-websocket plugin 2.1.0 and it doesn't work – Eylen Jan 15 '16 at 09:40
  • I have finally be able to connect, but I've had to also add a CorsFilter in java and register it in resources.groovy. Grails interceptors don't work for this – Eylen Jan 15 '16 at 09:57
  • 1
    Doesn't it impair the security, allowing cross-site request forgery? – user2417480 Jun 13 '16 at 07:59
  • @user2417480, you are absolutely right, but it can be protected by having a XSRF token or some sort. – Harry Cho Sep 02 '16 at 18:12
  • @user2417480: Yes, allowing all origins is bad. If * does the trick here for testing purposes in your scenario, you should remove it afterwards and manually define all origins your websocket/STOMP endpoint is allowed to run in, for instance `https://example.com`. Spring always allows resources from the same origin, even if you define something here. The origins you allow manually come on top of the same-origin policy, so there's no harm in defining them. – TXN Mar 14 '19 at 23:36
  • @Eylen - can you please describe further what you did. Super frustrating to read "I have been able to make this work" without actually an answer being submitted ! – Richard Green Nov 19 '19 at 10:07
  • Sorry @RichardGreen, I haven't worked in that project for too long now and I can't remember. But I think that my second comment, about setting a CorsFilter in java and registering it in resources.groovy should be a good starting point – Eylen Nov 20 '19 at 21:44