Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Tree: 2fb056b5c1
Branches Tags
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
appendix
/
namespace
/
websocket.adoc

websocket.adoc 4.1 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889 
  1. [[nsa-websocket-security]]
    2. 

  2. = WebSocket Security
    3. 

  3. 

  4. Spring Security 4.0+ provides support for authorizing messages.
    5. 

  5. One concrete example of where this is useful is to provide authorization in WebSocket based applications.
    6. 

  6. 

  7. [[nsa-websocket-message-broker]]
    8. 

  8. == <websocket-message-broker>
    9. 

  9. 

  10. The `<websocket-message-broker>` element has two different modes.
    11. 

  11. If the <<nsa-websocket-message-broker-id,`websocket-message-broker@id`>> is not specified, it does the following things:
    12. 

  12. 

  13. * Ensure that any `SimpAnnotationMethodMessageHandler` has the `AuthenticationPrincipalArgumentResolver` registered as a custom argument resolver.
    14. 

  14. This allows the use of `@AuthenticationPrincipal` to resolve the principal of the current `Authentication`.
    15. 

  15. * Ensures that the `SecurityContextChannelInterceptor` is automatically registered for the `clientInboundChannel`.
    16. 

  16. This populates the `SecurityContextHolder` with the user that is found in the message.
    17. 

  17. * Ensures that a `CsrfChannelInterceptor` is registered with the `clientInboundChannel`.
    18. 

  18. This allows authorization rules to be specified for a message.
    19. 

  19. * Ensures that a CsrfChannelInterceptor is registered with the clientInboundChannel.
    20. 

  20. This ensures that only requests from the original domain are enabled.
    21. 

  21. * Ensures that a `CsrfTokenHandshakeInterceptor` is registered with a `WebSocketHttpRequestHandler`, a `TransportHandlingSockJsService`, or a `DefaultSockJsService`.
    22. 

  22. This ensures that the expected `CsrfToken` from the `HttpServletRequest` is copied into the WebSocket Session attributes.
    23. 

  23. 

  24. If additional control is necessary, you can specify the ID, and a `ChannelSecurityInterceptor` is assigned to the specified ID.
    25. 

  25. You can then manually wire Spring's messaging infrastructure.
    26. 

  26. This is more cumbersome, but doing so provides greater control over the configuration.
    27. 

  27. 

  28. 

  29. [[nsa-websocket-message-broker-attributes]]
    30. 

  30. === <websocket-message-broker> Attributes
    31. 

  31. 

  32. The `<websocket-message-broker>` element has the following attributes:
    33. 

  33. 

  34. [[nsa-websocket-message-broker-id]]
    35. 

  35. `id`::
    36. 

  36. A bean identifier, used to refer to the `ChannelSecurityInterceptor` bean elsewhere in the context.
    37. 

  37. If specified, Spring Security requires explicit configuration within Spring Messaging.
    38. 

  38. If not specified, Spring Security automatically integrates with the messaging infrastructure, as described in <<nsa-websocket-message-broker>>
    39. 

  39. 

  40. [[nsa-websocket-message-broker-same-origin-disabled]]
    41. 

  41. `same-origin-disabled`::
    42. 

  42. Disables the requirement for a CSRF token to be present in the Stomp headers.
    43. 

  43. Default: `false`
    44. 

  44. Changing the default lets other origins make SockJS connections.
    45. 

  45. 

  46. [[nsa-websocket-message-broker-children]]
    47. 

  47. === Child Elements of <websocket-message-broker>
    48. 

  48. 

  49. The `<websocket-message-broker>` element has the following child elements:
    50. 

  50. 

  51. * xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler]
    52. 

  52. * <<nsa-intercept-message,intercept-message>>
    53. 

  53. 

  54. [[nsa-intercept-message]]
    55. 

  55. == <intercept-message>
    56. 

  56. 

  57. The `<intercept-message>` defines an authorization rule for a message.
    58. 

  58. 

  59. 

  60. [[nsa-intercept-message-parents]]
    61. 

  61. === Parent Elements of <intercept-message>
    62. 

  62. 

  63. 

  64. The parent element of the `<intercept-message>` element is the <<nsa-websocket-message-broker,`websocket-message-broker`>> element.
    65. 

  65. 

  66. 

  67. [[nsa-intercept-message-attributes]]
    68. 

  68. === <intercept-message> Attributes
    69. 

  69. 

  70. The `<intercept-message>` element has the following attributes:
    71. 

  71. 

  72. [[nsa-intercept-message-pattern]]
    73. 

  73. `pattern`::
    74. 

  74. An Ant-based pattern that matches on the message destination.
    75. 

  75. For example, `/**` matches any message with a destination, while `/admin/**` matches any message that has a destination that starts with `/admin/`.
    76. 

  76. 

  77. [[nsa-intercept-message-type]]
    78. 

  78. `type`::
    79. 

  79. The type of message to match on.
    80. 

  80. SimpMessageType defines the valid values: `CONNECT`, `CONNECT_ACK`, `HEARTBEAT`, `MESSAGE`, `SUBSCRIBE`, `UNSUBSCRIBE`, `DISCONNECT`, `DISCONNECT_ACK`, and `OTHER`).
    81. 

  81. 

  82. [[nsa-intercept-message-access]]
    83. 

  83. `access`::
    84. 

  84. The expression used to secure the message.
    85. 

  85. Here are some examples:
    86. 

  86. +
    87. 

  87. * `denyAll`: Denies access to all of the matching messages.
    88. 

  88. * `permitAll`: Grants access to all of the matching Messages.
    89. 

  89. * `hasRole('ADMIN')`: Requires the current user to have a role of `ROLE_ADMIN` for the matching messages.
    90.