Spring Session,Websocket,REST令牌安全
[英]Spring Session, Websocket, REST Token Security
问题描述
We currently have a Spring application which contains a REST API and also Websocket broker endpoints to get realtime updates on database changes. 
当前,我们有一个Spring应用程序,其中包含REST API和Websocket Broker端点,以获取数据库更改的实时更新。
We've successfully migrated to the Spring Session project with an embedded redis server which authenticates by basic auth and a session id can be used on subsequent requests as an x-auth-token header. 我们已经成功地使用嵌入式redis服务器迁移到了Spring Session项目,该服务器通过基本身份验证进行身份验证,并且会话ID可以在后续请求中用作x-auth-token标头。
The issue we're having is to secure the Websocket. 我们面临的问题是保护Websocket的安全。 On Angular, we have a wrapper directive around the stomp.js / sockjs libraries but we can't seem to figure out how to set the x-auth-token header on the Websocket upgrade requests. 在Angular上,我们在stomp.js / sockjs库周围有一个包装指令,但似乎无法弄清楚如何在Websocket升级请求中设置x-auth-token标头。
Are we doing something wrong? 我们做错什么了吗? What would be the recommended way to approach this kind of security scheme? 建议采用哪种安全方式来处理这种安全方案?
Stack: 堆:
- Tomcat 7.0.57 的Tomcat 7.0.57
- Spring Security 4.0.0.RC2 Spring Security 4.0.0.RC2
- Spring Session 1.0.0.RELEASE 春季会议1.0.0.RELEASE
- Spring MVC 4.1.4 Spring MVC 4.1.4
- AngularJS 1.2.28 AngularJS 1.2.28
1 个解决方案
解决方案1
0 已采纳 2015-03-23 14:37:45
Looks like the JS Websocket API doesn't allow setting HTTP headers on the initial handshake and upgrade request. 看起来JS Websocket API不允许在初始握手和升级请求上设置HTTP标头。
The proper scheme would be to send an authentication token on the CONNECT frame and handle it accordingly on the server side. 正确的方案是在CONNECT帧上发送身份验证令牌,并在服务器端相应地进行处理。 So for now we've migrated to browser cookie sessions until we can find a suitable implementation for this on the server side. 因此,到目前为止,我们已经迁移到浏览器cookie会话,直到我们在服务器端找到合适的实现。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.