Spring Security是一个非常好的框架,广泛用于身份验证&批准
我有一个要求,即使用j_spring_security_check对应用程序进行身份验证,并且只有授权用户才能向websocket处理程序发出请求。
我已根据配置了弹簧安全http://malalanayake.wordpress.com/2014/06/27/spring-security-on-rest-api/
我已经根据配置了websockethttp://syntx.io/using-websockets-in-java-using-spring-4/.
我希望通过handleTextMessage处理程序访问MyPrincipal主体对象,如下所示:
@Override
protected void handleTextMessage(WebSocketSession session,
TextMessage message) throws Exception {
System.out.println("Protocol: "+session.getAcceptedProtocol());
TextMessage returnMessage = new TextMessage(message.getPayload()
+ " received at server");
System.out.println("myAttrib="
+ session.getAttributes().get("myAttrib"));
MyPrincipal user = (MyPrincipal) ((Authentication) session
.getPrincipal()).getPrincipal();
System.out.println("User: " + user.getUserId());
session.sendMessage(returnMessage);
}
请尽快重播。
在websocket配置中添加HttpSessionHandshakeInterceptor可以将spring安全主体对象从SpringSecurityContext传递到WebsocketSession
编辑:HandshakeInterceptor.java
public class HandshakeInterceptor extends HttpSessionHandshakeInterceptor{
@Override
public boolean beforeHandshake(ServerHttpRequest request,
ServerHttpResponse response, WebSocketHandler wsHandler,
Map<String, Object> attributes) throws Exception {
System.out.println("Before Handshake");
return super.beforeHandshake(request, response, wsHandler, attributes);
}
@Override
public void afterHandshake(ServerHttpRequest request,
ServerHttpResponse response, WebSocketHandler wsHandler,
Exception ex) {
System.out.println("After Handshake");
super.afterHandshake(request, response, wsHandler, ex);
}
}
websocket.xml
<bean id="websocket" class="co.syntx.example.websocket.handler.WebsocketEndPoint"/>
<websocket:handlers>
<websocket:mapping path="/websocket" handler="websocket"/>
<websocket:handshake-interceptors>
<bean class="co.syntx.example.websocket.HandshakeInterceptor"/>
</websocket:handshake-interceptors>
</websocket:handlers>
确保使用Spring Security保护您的WebSocket端点并进行登录。(如果未完成,则为401。)
带有3.2.7和4.0.2的测试仪释放
两个版本都有:
session.getPrincipal()<--此处为值-
SecurityContextHolder.getContext().getAuthentication()<--此处为空@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) protected void configure(HttpSecurity http) throws Exception { http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED) .and() .httpBasic().and() .authorizeRequests()