WebSocket Security

Spring Security 4.0+ 提供了授权消息的支持。 一个具体的有用示例是在基于 WebSocket 的应用程序中提供授权。

Spring Security 4.0+ provides support for authorizing messages. One concrete example of where this is useful is to provide authorization in WebSocket based applications.

<websocket-message-broker>

websocket-message-broker 元素有两种不同的模式。 如果未指定 nsa-websocket-message-broker-id, 则它将执行以下操作:

The websocket-message-broker element has two different modes. If the nsa-websocket-message-broker-id is not specified, then it will do the following things:

  • Ensure that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver. This allows the use of @AuthenticationPrincipal to resolve the principal of the current Authentication

  • Ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel. This populates the SecurityContextHolder with the user that is found in the Message

  • Ensures that a ChannelSecurityInterceptor is registered with the clientInboundChannel. This allows authorization rules to be specified for a message.

  • Ensures that a CsrfChannelInterceptor is registered with the clientInboundChannel. This ensures that only requests from the original domain are enabled.

  • Ensures that a CsrfTokenHandshakeInterceptor is registered with WebSocketHttpRequestHandler, TransportHandlingSockJsService, or DefaultSockJsService. This ensures that the expected CsrfToken from the HttpServletRequest is copied into the WebSocket Session attributes.

如果需要额外的控件, 则可以指定 id, 并且 ChannelSecurityInterceptor 将被分配给指定的 id。 然后可以使用 Spring 的消息传递基础架构手动完成所有连接。 这比较麻烦,但对配置有更大的控制权。

If additional control is necessary, the id can be specified and a ChannelSecurityInterceptor will be assigned to the specified id. All the wiring with Spring’s messaging infrastructure can then be done manually. This is more cumbersome, but provides greater control over the configuration.

<websocket-message-broker> Attributes

  • id A bean identifier, used for referring to the ChannelSecurityInterceptor bean elsewhere in the context. If specified, Spring Security requires explicit configuration within Spring Messaging. If not specified, Spring Security will automatically integrate with the messaging infrastructure as described in <websocket-message-broker>

  • same-origin-disabled Disables the requirement for CSRF token to be present in the Stomp headers (default false). Changing the default is useful if it is necessary to allow other origins to make SockJS connections.

  • authorization-manager-ref Use this AuthorizationManager instance; when set, use-authorization-manager is ignored and assumed to be true

  • use-authorization-manager Use AuthorizationManager API instead of SecurityMetadataSource API (defaults to true).

  • security-context-holder-strategy-ref Use this SecurityContextHolderStrategy (note only supported in conjunction with the AuthorizationManager API)

Child Elements of <websocket-message-broker>

<intercept-message>

为消息定义授权规则。

Defines an authorization rule for a message.

Parent Elements of <intercept-message>

<intercept-message> Attributes

  • pattern An ant based pattern that matches on the Message destination. For example, "/" matches any Message with a destination; "/admin/" matches any Message that has a destination that starts with "/admin/**".

  • type The type of message to match on. Valid values are defined in SimpMessageType (i.e. CONNECT, CONNECT_ACK, HEARTBEAT, MESSAGE, SUBSCRIBE, UNSUBSCRIBE, DISCONNECT, DISCONNECT_ACK, OTHER).

  • access The expression used to secure the Message. For example, "denyAll" will deny access to all of the matching Messages; "permitAll" will grant access to all of the matching Messages; "hasRole('ADMIN') requires the current user to have the role 'ROLE_ADMIN' for the matching Messages.