Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-15863

Token-based WebSocket Authentication Documentation Inaccuracy

    XMLWordPrintable

Details

    • Task
    • Status: Closed
    • Minor
    • Resolution: Complete
    • None
    • 4.3.11, 5.0 RC4
    • Messaging:WebSocket
    • None

    Description

      The Spring documentation to register a custom websocket authentication interceptor has an inaccuracy. For custom OAuth authentication ( or any custom authentication ), the sample code indicates a security Principal should be set on the StompHeaderAccessor. However, the downstream Spring Security code expects the object set on the StompHeaderAccessor to be of type Authentication rather than Principal. ( Note, Authentication is a sub-interface of Principal. )

      Documentation:
      26.4.11 Token-based Authentication
      http://docs.spring.io/spring/docs/current/spring-framework-reference/html/websocket.html

      Code example from documentation:

                  if (StompCommand.CONNECT.equals(accessor.getCommand())) {
                      Principal user = ... ; // access authentication header(s)
                      accessor.setUser(user);
                  }
      

      Current Spring Security Code:
      SecurityContextChannelInterceptor
      https://github.com/spring-projects/spring-security/blob/master/messaging/src/main/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptor.java

      See Line 125

      		Authentication authentication;
      		if ((user instanceof Authentication)) {
      			authentication = (Authentication) user;
      		}
      		else {
      			authentication = this.anonymous;
      		}
      

      When setting an object of type Principal, the check fails and the security context is set to an anonymous user.

      Attachments

        Activity

          People

            rstoya05-aop Rossen Stoyanchev
            stevedroy Steve Roy
            Spring Issues Spring Issues
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              3 years, 38 weeks, 1 day ago