Spring websocket with stomp security - every user can subscribe to any other users queue?

Question

I created a simple app that uses the websockets mechanism of spring 4. I use in my app an activemq broker.

In my simple test i create 10 messages for a user named "Alejando" (user/alejandro/queue/greetings)

When i log in with "Alejando" and subscribe to that queue:

  stompClient.subscribe('/user/alejandro/queue/greetings', function(greeting){
                  showGreeting(JSON.parse(greeting.body).content);
  }); 

I indeed receive all the 10 messages that were enqued for alejandro.

The problem is when i log in with a different user named "evilBart" and subscribe to the queue of alejandro i receive the messages as well?

How can i enforce security for that? I would like that a user can only subscribe to it's own queue.

Thanks!

my config class:

@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {

@Override
public void configureMessageBroker(MessageBrokerRegistry config) {
    config.enableStompBrokerRelay("/queue/","/topic","/user/");     
    config.setApplicationDestinationPrefixes("/app");
}

@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
    registry.addEndpoint("/hello").withSockJS();
}

}

Answer 1

Check this similar question: you have to authenticate the user via HTTP using Spring Security, and then send message to users using the SimpMessageTemplate.convertAndSendToUser() method.