Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-15822

Setting user header on CONNECT message stopped working

    Details

    • Last commented by a User:
      false

      Description

      We followed instructions in Token-Based Authentication in Spring doc at http://docs.spring.io/spring/docs/5.0.0.M5/spring-framework-reference/html/websocket.html#websocket-stomp-authentication-token-based, in order to set the user header on the CONNECT Message. In Spring framework 4.3.9, it works well. After migrating to 5.0.0 RC2, we found it stopped working. After some investigation, we tend to believe it is a bug in 5.0.0 RC2 as well as RC3.

      [5.0.0 RC2 behavior] – bad
      In method handleMessageFromClient() in StompSubProtocolHandler class, Principal is retrieved from session. Of course, at this point, the Principal is null. And then, Spring attempts to put Principal to stompAuthentications. Since it is null, nothing would be put into stompAuthentications.

      Principal user = getUser(session);
      if (user != null)

      { headerAccessor.setUser(user); }

      ...
      try {
      SimpAttributesContextHolder.setAttributesFromMessage(message);
      boolean sent = outputChannel.send(message);

      if (sent) {
      if (isConnect) {
      if (user != null && user != session.getPrincipal())

      { this.stompAuthentications.put(session.getId(), user); }
      }

      [4.3.9 behavior] – good
      Spring tries to retrieve Principal from STOMP header, and then put it into stompAuthentications.

      if (sent) {
      if (isConnect) {
      Principal user = headerAccessor.getUser();
      if (user != null && user != session.getPrincipal()) { this.stompAuthentications.put(session.getId(), user); }

      }

      This commit (https://github.com/spring-projects/spring-framework/commit/f813712f5b413b354560cd7cc006352e9defa9a3#diff-7bc1370febf168db39f9b3a608f68fe8) caused this regression. FYI.

        Issue Links

          Activity

          Hide
          juergen.hoeller Juergen Hoeller added a comment -

          Good catch: We need to re-retrieve the user at that point, which got accidentally dropped during that nullability refactoring. Restored for 5.0 RC4 now.

          Show
          juergen.hoeller Juergen Hoeller added a comment - Good catch: We need to re-retrieve the user at that point, which got accidentally dropped during that nullability refactoring. Restored for 5.0 RC4 now.

            People

            • Assignee:
              juergen.hoeller Juergen Hoeller
              Reporter:
              domain Jeff
              Last updater:
              St├ęphane Nicoll
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                8 weeks, 3 days ago