总结 我想通过STOMP实现websocket通信.在第一次(HTTP请求)websocket握手时验证用户,并使用此Principal稍后授权websocket消息.
问题 系统在第一次尝试连接到websocket端点(HTTP握手的时间)时对客户端进行身份验证.我的Spring安全过滤器和身份验证提供程序完成其工作并正确验证客户端.在此之后,我可以检查客户端是否获得了角色,我的身份验证对象也存储在SecurityContext中.(此时已建立websocket连接,并且已丢弃HTTP协议.)但是,从第一个websocket通信我得到Authentication对象是Anonymous,因为SecurityContextHolder以某种方式被清除,因为SecurityContextChannelInterceptor清除它.
Spring文档声明如下:http://docs.spring.io/autorepo/docs/spring-security/current/reference/htmlsingle/#websocket-authentication
WebSockets重用与WebSocket连接时在HTTP请求中找到的相同身份验证信息.这意味着HttpServletRequest上的Principal将被移交给WebSockets.如果您使用的是Spring Security,则会自动覆盖HttpServletRequest上的Principal.
我非常简单的过滤器
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
try {
Authentication authResult =
new CertAuthenticationToken(null, Arrays.asList(new SimpleGrantedAuthority("ROLE_ADMIN")));
authResult = getAuthenticationManager().authenticate(authResult);
if (authResult.isAuthenticated()) {
SecurityContextHolder.getContext().setAuthentication(authResult);
LOGGER.info("Client was authenticated.");
}
chain.doFilter(request, response);
} catch (AuthenticationException ae) {
LOGGER.error("Client was not authenticated. {}", ae);
SecurityContextHolder.clearContext();
onUnsuccessfulAuthentication((HttpServletRequest) request, (HttpServletResponse) response, ae);
throw ae;
}
}
我非常简单的认证提供商
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
authentication.setAuthenticated(true);
return …spring spring-security spring-boot spring-messaging spring-websocket