Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-15863

Token-based WebSocket Authentication Documentation Inaccuracy

    Details

    • Type: Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 4.3.11, 5.0 RC4
    • Component/s: Messaging:WebSocket
    • Labels:
      None

      Description

      The Spring documentation to register a custom websocket authentication interceptor has an inaccuracy. For custom OAuth authentication ( or any custom authentication ), the sample code indicates a security Principal should be set on the StompHeaderAccessor. However, the downstream Spring Security code expects the object set on the StompHeaderAccessor to be of type Authentication rather than Principal. ( Note, Authentication is a sub-interface of Principal. )

      Documentation:
      26.4.11 Token-based Authentication
      http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html

      Code example from documentation:

                  if (StompCommand.CONNECT.equals(accessor.getCommand())) {
                      Principal user = ... ; // access authentication header(s)
                      accessor.setUser(user);
                  }
      

      Current Spring Security Code:
      SecurityContextChannelInterceptor
      https://github.com/spring-projects/spring-security/blob/master/messaging/src/main/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptor.java

      See Line 125

      		Authentication authentication;
      		if ((user instanceof Authentication)) {
      			authentication = (Authentication) user;
      		}
      		else {
      			authentication = this.anonymous;
      		}
      

      When setting an object of type Principal, the check fails and the security context is set to an anonymous user.

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            rstoya05-aop Rossen Stoyanchev
            Reporter:
            stevedroy Steve Roy
            Last updater:
            St├ęphane Nicoll
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              14 weeks, 2 days ago