Minor refactoring in STOMP documentation
Closes gh-27906
This commit is contained in:
@@ -1724,19 +1724,11 @@ HTTP session (which is then associated with WebSocket or SockJS sessions created
|
||||
for that user) and results in a user header being stamped on every `Message` flowing
|
||||
through the application.
|
||||
|
||||
Note that the STOMP protocol does have `login` and `passcode` headers
|
||||
on the `CONNECT` frame. Those were originally designed for and are still needed,
|
||||
for example, for STOMP over TCP. However, for STOMP over WebSocket, by default,
|
||||
Spring ignores authorization headers at the STOMP protocol level, assumes that
|
||||
the user is already authenticated at the HTTP transport level, and expects that
|
||||
the WebSocket or SockJS session contain the authenticated user.
|
||||
|
||||
NOTE: Spring Security provides
|
||||
https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
|
||||
that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
|
||||
Also, Spring Session provides
|
||||
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
|
||||
that ensures the user's HTTP session does not expire while the WebSocket session is still active.
|
||||
The STOMP protocol does have `login` and `passcode` headers on the `CONNECT` frame.
|
||||
Those were originally designed for and are needed for STOMP over TCP. However, for STOMP
|
||||
over WebSocket, by default, Spring ignores authentication headers at the STOMP protocol
|
||||
level, and assumes that the user is already authenticated at the HTTP transport level.
|
||||
The expectation is that the WebSocket or SockJS session contain the authenticated user.
|
||||
|
||||
|
||||
|
||||
@@ -1814,6 +1806,18 @@ its own implementation of `WebSocketMessageBrokerConfigurer` that is marked with
|
||||
|
||||
|
||||
|
||||
[[websocket-stomp-authorization]]
|
||||
=== Authorization
|
||||
|
||||
Spring Security provides
|
||||
https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
|
||||
that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
|
||||
Also, Spring Session provides
|
||||
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
|
||||
that ensures the user's HTTP session does not expire while the WebSocket session is still active.
|
||||
|
||||
|
||||
|
||||
[[websocket-stomp-user-destination]]
|
||||
=== User Destinations
|
||||
|
||||
|
||||
Reference in New Issue
Block a user