Minor refactoring in STOMP documentation

Closes gh-27906
This commit is contained in:
rstoyanchev
2022-01-12 07:20:58 +00:00
parent 7665424ea8
commit 01231fe923

View File

@@ -1724,19 +1724,11 @@ HTTP session (which is then associated with WebSocket or SockJS sessions created
for that user) and results in a user header being stamped on every `Message` flowing
through the application.
Note that the STOMP protocol does have `login` and `passcode` headers
on the `CONNECT` frame. Those were originally designed for and are still needed,
for example, for STOMP over TCP. However, for STOMP over WebSocket, by default,
Spring ignores authorization headers at the STOMP protocol level, assumes that
the user is already authenticated at the HTTP transport level, and expects that
the WebSocket or SockJS session contain the authenticated user.
NOTE: Spring Security provides
https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
Also, Spring Session provides
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
that ensures the user's HTTP session does not expire while the WebSocket session is still active.
The STOMP protocol does have `login` and `passcode` headers on the `CONNECT` frame.
Those were originally designed for and are needed for STOMP over TCP. However, for STOMP
over WebSocket, by default, Spring ignores authentication headers at the STOMP protocol
level, and assumes that the user is already authenticated at the HTTP transport level.
The expectation is that the WebSocket or SockJS session contain the authenticated user.
@@ -1814,6 +1806,18 @@ its own implementation of `WebSocketMessageBrokerConfigurer` that is marked with
[[websocket-stomp-authorization]]
=== Authorization
Spring Security provides
https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
Also, Spring Session provides
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
that ensures the user's HTTP session does not expire while the WebSocket session is still active.
[[websocket-stomp-user-destination]]
=== User Destinations