How to Authenticate WebSocket in an Existing HTTP Environment with Spring Security
I have a fairly simple requirement (I'm using Spring-Security 4.0.1), but I can't find any examples on the web other than what this page said: http://docs.spring.io/spring/docs/ current / spring-framework-reference / html / websocket.html # websocket-server-handler
It is relatively easy to integrate a WebSocketHandler into another HTTP Serving Service using the WebSocketHttpRequestHandler.
What do I have . An implementation WebSocketHandler
that runs the job and the HTTP serving framework using basic authentication. Mine WebApplicationInitializer
looks like this:
public class MyWebAppInitializer implements WebApplicationInitializer {
@Override
public void onStartup(ServletContext servletContext) throws ServletException {
...
// WebSocket support - Handshake
Dynamic ws = servletContext.addServlet("webSocketHttpRequestHandler", new HttpRequestHandlerServlet());
ws.addMapping("/streaming/*");
// Spring Security Filter
FilterRegistration.Dynamic springSecurity = servletContext.addFilter("springSecurityFilterChain", new DelegatingFilterProxy());
springSecurity.addMappingForUrlPatterns(EnumSet.of(DispatcherType.REQUEST), true, "/*");
}
}
This is how I connected the websocket endpoint to an existing web application. My WebSocket config class looks like (very simplified):
@Configuration
public class WebSocketServicesConfig{
@Bean
public WebSocketHttpRequestHandler webSocketHttpRequestHandler() {
return new WebSocketHttpRequestHandler(new StreamingWebSocketHandler());
}
}
StreamingWebSocketHandler
implements WebSocketHandler
.
I also have a RESTful web service (on the same server) that uses basic authentication configured.
What works . My RESTful web service works with any web browsers. I can make some authenticated requests (credentials can be sent in HTTP headers). WebSocket requests work and ask for authentication the first time I try it (FireFox pops up asking for credentials, as soon as I enter them, client and server can communicate via WebSocket messages). In my WebSocketHandler
Spring object: WebSocketSession
which contains information about authenticated user is correct (method #getPrincipal()
returns Authentication
containing rights granted to Authority, data, etc.). Please note that once the website is authenticated, I can rerun the request without re-entering.
What I want . From a user perspective, this is bad because the credentials are required twice:
- First for RESTful requests
- Second for WebSocket requests
How can I bypass the second authentication, assuming the first one succeeded? Is there a way to detect that the client is authenticated and not asking for credentials?
I donβt want to . I don't want to use Stomp over websocket and SockJs (I don't need to support old web browsers).
source to share
No one has answered this question yet
Check out similar questions: