Websocket安全性定义不起作用
[英]Websocket security definition doesn't work
问题描述
I have following websocket security configuration: 
我有以下websocket安全配置:
@Configuration
public class WebSocketAuthorizationSecurityConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer {
@Override
protected void configureInbound(final MessageSecurityMetadataSourceRegistry messages) {
// You can customize your authorization mapping here.
//messages.anyMessage().authenticated();
messages.simpDestMatchers("/hello").hasRole("ADMIN");
}
// TODO: For test purpose (and simplicity) i disabled CSRF, but you should re-enable this and provide a CRSF endpoint.
@Override
protected boolean sameOriginDisabled() {
return true;
}
}
I expect that only admin can send messages into the /hello topic. 我希望只有管理员才能将消息发送到/hello主题。
and following security configuration: 以及以下安全配置:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private static final String SECURE_ADMIN_PASSWORD = "rockandroll";
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.formLogin()
.loginPage("/index.html")
.loginProcessingUrl("/login")
.defaultSuccessUrl("/sender.html")
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/index.html")
.permitAll()
.and()
.authorizeRequests()
.antMatchers("/js/**", "/lib/**", "/images/**", "/css/**", "/index.html", "/","/*.css","/webjars/**", "/*.js").permitAll()
.antMatchers("/websocket").hasRole("ADMIN")
.requestMatchers(EndpointRequest.toAnyEndpoint()).hasRole("ADMIN")
.anyRequest().authenticated();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(new AuthenticationProvider() {
@Override
public boolean supports(Class<?> authentication) {
return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication;
List<GrantedAuthority> authorities = SECURE_ADMIN_PASSWORD.equals(token.getCredentials()) ?
AuthorityUtils.createAuthorityList("ROLE_ADMIN") : null;
return new UsernamePasswordAuthenticationToken(token.getName(), token.getCredentials(), authorities);
}
});
}
}
Also I have following websocket controller: 我也有以下websocket控制器:
@MessageMapping("/hello")
@SendTo("/topic/greetings")
public Greeting greeting(@Payload HelloMessage message, Principal principal) throws Exception {
Thread.sleep(1000); // simulated delay
simpMessagingTemplate.convertAndSendToUser(principal.getName(), "/queue/greetings", new Greeting("Ololo"));
return new Greeting("Hello, " + HtmlUtils.htmlEscape(message.getName()) + "!");
}
Next I login as user/pass (It is not admin). 接下来,我以用户名/密码登录(不是管理员)。
And client successfully sends messages to the /hello topic: 客户端成功将消息发送到/hello主题:
stompClient.send("/app/hello", {}, JSON.stringify({'name': $("#name").val()}));
and method greeting invokes successfully. 和方法greeting成功调用。
What do I wrong? 我怎么了
1 个解决方案
解决方案1
0 2018-04-27 10:07:22
在我提供以下定义(添加/app )后,它开始工作:
messages.simpDestMatchers("/app/hello").hasRole("ADMIN");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
Websocket客户端无法在applet中工作 - Websocket client doesn't work from applet
Tomcat 7:WebSocket升级不起作用 - Tomcat 7: WebSocket upgrade doesn't work
Spring Security @PreAuthorize注释不起作用 - Spring Security @PreAuthorize annotaion doesn't work
Spring Security禁用rememberMe不起作用 - Spring Security disable rememberMe doesn't work
Spring安全性不适用于angularJS - Spring security doesn't work with angularJS
Spring Security Taglib不起作用 - Spring Security taglib doesn't work
Spring安全和Thymeleaf不起作用 - Spring security and Thymeleaf doesn't work
CrossOrigin注释不适用于Spring Security - CrossOrigin annotation doesn't work with spring security
春季安全+休息不起作用 - spring security + rest doesn't work
使用 Spring 保护应用程序安全不起作用 - Securing app with Spring Security doesn't work
相关标签