
Reputation: 45

Spring security/Spring session/Web sockets

We are attempting to use a combination of spring session, spring security and websockets to implement security for a websocket API without using cookies.

Ideally we would be using a authorization header or authentication using the websocket/stomp messages but this does not seem to be possible with the current spring websocket support.

We are using a pre-auth provider to validate a query parameter token and log the user in. I can see that the proper user is pulled out in the pre-auth for the handshake but the SecurityContext is not available to interceptors wired into the websocket.

Our spring security configuration is

<!-- API security -->
<security:http use-expressions="false" realm="api" authentication-manager-ref="apiAuthenticationManager" entry-point-ref="accessDeniedAuthEntryPoint" pattern="/api/**" create-session="never">
    <security:custom-filter position="FIRST" ref="sessionRepositoryFilter" />
    <security:custom-filter position="PRE_AUTH_FILTER" ref="headerTokenAuthFilter" />
    <security:intercept-url pattern="/api/**" access="ROLE_USER" />

    <security:access-denied-handler  ref="accessDeniedHandler"  />


<security:authentication-manager id="apiAuthenticationManager">
    <security:authentication-provider ref="preauthAuthProvider" />

<bean id="headerTokenAuthFilter" class="" >
    <property name="authenticationManager" ref="apiAuthenticationManager"/>
    <property name="continueFilterChainOnUnsuccessfulAuthentication" value="false"/>
    <property name="checkForPrincipalChanges" value="true"/>
    <property name="sessionRepository" ref="sessionRepository" />

<bean id="accessDeniedHandler" class="" />
<bean id="accessDeniedAuthEntryPoint" class="" />

<bean id="sessionRepository" class="">
    <constructor-arg ref="jedisConnectionFactory"/>
<bean id="sessionRepositoryFilter" class="org.springframework.session.web.http.SessionRepositoryFilter">
    <constructor-arg ref="sessionRepository"/>

Our websocket configuration is

public class WebsocketConfiguration extends AbstractSessionWebSocketMessageBrokerConfigurer<ExpiringSession> {

private AuthenticationValidationInterceptor authenticationValidationInterceptor;
private SelectorQuotingInterceptor selectorQuotingInterceptor;
private SelectorValidationInterceptor selectorValidationInterceptor;

protected void configureStompEndpoints(StompEndpointRegistry registry) {

public void configureMessageBroker(MessageBrokerRegistry registry) {

public void configureClientInboundChannel(ChannelRegistration registration) {

public void configureClientOutboundChannel(ChannelRegistration registration) {



Upvotes: 1

Views: 4465

Answers (1)

Simon S
Simon S

Reputation: 86

Coworker of the accursed here. Our configuration is largely correct but our issue stemmed from a bit of a misunderstanding around the security context and its availability from the websocket side of things.

Comments gathered from various sub-issues of led us to grabbing the logged in user principal from the message in the interceptor

StompHeaderAccessor headerAccessor = StompHeaderAccessor.wrap(message);
Principal userPrincipal = headerAccessor.getUser();

Rather than


Upvotes: 2

Related Questions