WebSocket Security

Spring Security 4.0+ 提供了授权消息的支持。 一个具体的有用示例是在基于 WebSocket 的应用程序中提供授权。

Spring Security 4.0+ provides support for authorizing messages. One concrete example of where this is useful is to provide authorization in WebSocket based applications.

<websocket-message-broker>

websocket-message-broker 元素有两种不同的模式。 如果未指定 nsa-websocket-message-broker-id, 则它将执行以下操作:

The websocket-message-broker element has two different modes. If the nsa-websocket-message-broker-id is not specified, then it will do the following things:

  • 确保任何 SimpAnnotationMethodMessageHandler 已将 AuthenticationPrincipalArgumentResolver 注册为自定义参数解析器。这允许使用 `@AuthenticationPrincipal`来解析当前 `Authentication`的主体

  • Ensure that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver. This allows the use of @AuthenticationPrincipal to resolve the principal of the current Authentication

  • 确保 SecurityContextChannelInterceptor 会自动为 clientInboundChannel 注册。这会填充 SecurityContextHolder,其中包含在 Message 中找到的用户。

  • Ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel. This populates the SecurityContextHolder with the user that is found in the Message

  • 确保 ChannelSecurityInterceptor 已向 clientInboundChannel 注册。这允许为消息指定授权规则。

  • Ensures that a ChannelSecurityInterceptor is registered with the clientInboundChannel. This allows authorization rules to be specified for a message.

  • 确保 CsrfChannelInterceptor 已向 clientInboundChannel 注册。这确保只能启用来自原始域的请求。

  • Ensures that a CsrfChannelInterceptor is registered with the clientInboundChannel. This ensures that only requests from the original domain are enabled.

  • 确保 CsrfTokenHandshakeInterceptor 已向 WebSocketHttpRequestHandler、TransportHandlingSockJsService 或 DefaultSockJsService 注册。这确保将来自 HttpServletRequest 的预期的 CsrfToken 复制到 WebSocket 会话属性。

  • Ensures that a CsrfTokenHandshakeInterceptor is registered with WebSocketHttpRequestHandler, TransportHandlingSockJsService, or DefaultSockJsService. This ensures that the expected CsrfToken from the HttpServletRequest is copied into the WebSocket Session attributes.

如果需要额外的控件, 则可以指定 id, 并且 ChannelSecurityInterceptor 将被分配给指定的 id。 然后可以使用 Spring 的消息传递基础架构手动完成所有连接。 这比较麻烦,但对配置有更大的控制权。

If additional control is necessary, the id can be specified and a ChannelSecurityInterceptor will be assigned to the specified id. All the wiring with Spring’s messaging infrastructure can then be done manually. This is more cumbersome, but provides greater control over the configuration.

<websocket-message-broker> Attributes

  • id 一个 bean 标识符,用于在上下文的其他位置引用 ChannelSecurityInterceptor bean。如果指定,Spring Security 需要在 Spring Messaging 中显式配置。如果未指定,Spring Security 将自动与 <websocket-message-broker>中所述的消息传递基础设施集成

  • id A bean identifier, used for referring to the ChannelSecurityInterceptor bean elsewhere in the context. If specified, Spring Security requires explicit configuration within Spring Messaging. If not specified, Spring Security will automatically integrate with the messaging infrastructure as described in <websocket-message-broker>

  • *same-origin-disabled*禁用要求 CSRF 令牌出现在 Stomp 标头中(默认值为 false)。如果需要允许其他来源建立 SockJS 连接,则更改默认设置非常有用。

  • same-origin-disabled Disables the requirement for CSRF token to be present in the Stomp headers (default false). Changing the default is useful if it is necessary to allow other origins to make SockJS connections.

  • *authorization-manager-ref*使用此 AuthorizationManager`实例;设定后,会忽略 `use-authorization-manager`并假定为 `true

  • authorization-manager-ref Use this AuthorizationManager instance; when set, use-authorization-manager is ignored and assumed to be true

  • *use-authorization-manager*使用 `AuthorizationManager`API 而非 `SecurityMetadataSource`API(默认为 true)。

  • use-authorization-manager Use AuthorizationManager API instead of SecurityMetadataSource API (defaults to true).

  • *security-context-holder-strategy-ref*使用此 SecurityContextHolderStrategy(请注意,仅与 `AuthorizationManager`API 结合使用时受支持)

  • security-context-holder-strategy-ref Use this SecurityContextHolderStrategy (note only supported in conjunction with the AuthorizationManager API)

Child Elements of <websocket-message-broker>

<intercept-message>

为消息定义授权规则。

Defines an authorization rule for a message.

Parent Elements of <intercept-message>

<intercept-message> Attributes

  • pattern*与 Message 目标匹配的基于 ant 的模式。例如,“/" matches any Message with a destination; "/admin/”与目标以“/admin/*”开头的任何 Message 匹配。

  • pattern An ant based pattern that matches on the Message destination. For example, "/" matches any Message with a destination; "/admin/" matches any Message that has a destination that starts with "/admin/**".

  • *type*要匹配的 Message 类型。有效值在 SimpMessageType 中定义(即 CONNECT、CONNECT_ACK、HEARTBEAT、MESSAGE、SUBSCRIBE、UNSUBSCRIBE、DISCONNECT、DISCONNECT_ACK、OTHER)。

  • type The type of message to match on. Valid values are defined in SimpMessageType (i.e. CONNECT, CONNECT_ACK, HEARTBEAT, MESSAGE, SUBSCRIBE, UNSUBSCRIBE, DISCONNECT, DISCONNECT_ACK, OTHER).

  • *access*用于保护 Message 的表达式。例如,“denyAll”将拒绝访问所有匹配的 Message;“permitAll”将允许访问所有匹配的 Message;“hasRole('ADMIN')” 要求当前用户对匹配的 Message 具有“ROLE_ADMIN”角色。

  • access The expression used to secure the Message. For example, "denyAll" will deny access to all of the matching Messages; "permitAll" will grant access to all of the matching Messages; "hasRole('ADMIN') requires the current user to have the role 'ROLE_ADMIN' for the matching Messages.