问题
Currently we have Rest app with Spring Boot, Spring Session (Redis) and Spring Security. We use basic auth. Now I would like to add websocket support.
When client logs in successfully to other part of application, he gets x-auth-token. It is passed later as header, and it works.
Then websocket client sends this token as query parameter to connect to service.
We would like to make Spring Security and Spring Session accept token through query param in websocket connection. Is there any parameter that I can set? Or do we need to write custom authentication provider. If so, how do we integrate with Spring Session?
回答1:
You can use queryString parameter for this, but I had the same issue, and my suggestion is to pass your token with headers at subscription time, or while sending messages from your JS client.
As you have a custom filter to handle your X-Auth-Token, Spring security doesn't support defining a custom-filter at websocket interceptors defined in Security.xml . All you need is to implement interceptor for inbound channel , and to handle token authentication through access of nativeHeader sent with messages at Presend method, through an injected instance of your token authentication service.
来源:https://stackoverflow.com/questions/30499043/spring-session-basic-auth-token-passed-as-query-parameter-in-spring-websocket