basic authentication - How to authenticate WebSocket within an existing HTTP environment with Spring Security -
i have pretty simple requirement (i use spring-security 4.0.1) can't find examples on web except been told on page: http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html#websocket-server-handler
it relatively simple integrate websockethandler other http serving environments of websockethttprequesthandler.
what have: implementation of websockethandler
job , http serving environments using basic authentication. webapplicationinitializer
looks this:
public class mywebappinitializer implements webapplicationinitializer { @override public void onstartup(servletcontext servletcontext) throws servletexception { ... // websocket support - handshake dynamic ws = servletcontext.addservlet("websockethttprequesthandler", new httprequesthandlerservlet()); ws.addmapping("/streaming/*"); // spring security filter filterregistration.dynamic springsecurity = servletcontext.addfilter("springsecurityfilterchain", new delegatingfilterproxy()); springsecurity.addmappingforurlpatterns(enumset.of(dispatchertype.request), true, "/*"); } }
this how plugged websocket endpoint existing web application. websocket configuration class looks (very simplified) this:
@configuration public class websocketservicesconfig{ @bean public websockethttprequesthandler websockethttprequesthandler() { return new websockethttprequesthandler(new streamingwebsockethandler()); } }
streamingwebsockethandler
implements websockethandler
.
i have restful web service (in same server) uses configured basic authentication.
what working: restful web service working web browsers. can authenticated queries (credentials can sent in http headers). websocket queries working , ask authentication first time try (under firefox, popup appears asking credentials, once enter them, client , server able communicate via websocket messages). in websockethandler
, spring object: websocketsession
contains informations authenticated user correct (#getprincipal()
method returns authentication
containing right granted authorities, details , on...). note once websocket authenticated, can relaunch query without re-enter them.
what want: on user point of view, bad because credentials required twice:
- first restful queries
- second websocket queries
how can bypass second authentication assuming first 1 succeeded? there way detect client has been authenticated , not ask credentials?
what don't want: don't want use neither stomp on websocket nor sockjs (i don't need support old web browsers).
Comments
Post a Comment