Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Providing auth header with SockJS

Tags:

rest

spring

model-view-controller

websocket

sockjs

I have a Spring MVC server that provides a bunch of REST endpoints as well as a websocket endpoint. Everything except the login endpoint requires authentication. I'm using JWT to authenticate requests coming from the client.

When the user logs in I'm returning an X-AUTH-TOKEN header, containing the JWT token. This token is then passed in the same header on every request to the server. This all works fine for the REST endpoints, but I can't figure out how to do this on the websocket.

I'm using SockJS, and when I open the connection:

var socket = new SockJS('/socket/updates', null, {});

This causes a GET request to /socket/updates/info?t=xxx which returns a 403 (as everything requires auth by default).

Ideally I'd simply send my X-AUTH-TOKEN header on any XHR requests SockJS makes, but I can't see any way of adding headers looking at the API.

Worst case I can change SockJS to do this, but I'm wondering whether this functionality has been deliberately left out? I know SockJS doesn't support cookies for security reasons but that's not what I'm trying to do.

Also, for the sake of a test I did allow the info endpoint to have anonymous access but then it 403's on a bunch of other endpoints - it feels more elegant to simply pass in auth details on these requests than poke holes in my server security.

Any help appreciated.

Cheers

like image 644
L Morris Avatar asked Sep 04 '15 08:09

L Morris

2 Answers

You cannot set the header from SockJS. Not because SockJS does not have this functionality, but because browser makers don't expose this API to Javascript. See:

https://github.com/sockjs/sockjs-client/issues/196

For a workaround, see JSON Web Token (JWT) with Spring based SockJS / STOMP Web Socket.

like image 192
Raman Avatar answered Sep 25 '22 20:09

Raman

client side:

stompClient.connect({headername:header}, function () {
                setConnected(true);
                stompClient.subscribe(request.topic, function (message) {
                    output(message.body);
                });
            });

server side :

StompHeaderAccessor accessor
                        = MessageHeaderAccessor.getAccessor(message, StompHeaderAccessor.class);

 String headervalue= accessor.getNativeHeader("your header name").get(0);
like image 23
ahll Avatar answered Sep 25 '22 20:09

ahll
Sign in to Comment

Related questions

Weird NPE on BatchingBatcher "JDBC driver did not return the expected number of row counts"
JSF custom component with @FacesComponent is not found in Spring Boot
@RabbitListener method testing in SpringBoot app
Spring Batch asynchronous processor configuration for best performance
Array with UserType in Hibernate and PostgreSQL --> MappingException
Is the @Query annotation in spring SQL Injection safe?
How to make Spring's @Autowired to work in JUnit 5 extensions? [duplicate]
How to do spring request parameter conversion
JUnit tests fail when run together, but pass individually
How to set environment variables/app secrets in Google App Engine
How to bulk delete records using temporary tables in Hibernate?
How to programmatically replace Spring's NumberFormatException with a user-friendly text?
Spring "The request was rejected because the URL was not normalized." How to tell what url was used?
Spring @Transaction not starting transactions
Why did PropertyDescriptor behavior change from Java 1.6 to 1.7?
QueryDsl web query on the key of a Map field
Table name configured with external properties file
Spring Boot Actuator to run in separate thread pool
Spring JPA - org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean cannot be cast to javax.persistence.EntityManagerFactory
Replying multiple times over web-socket without spring authentication

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!