mrniko
commented
10 years ago Try to use com.corundumstudio.socketio.AuthorizationListener, so you can pass jsessionid in socketio initial connection url, like: /socket.io/1/?t=1395237373472&jsessionid=
Open tanmally opened 10 years ago
mrniko
commented
10 years ago Try to use com.corundumstudio.socketio.AuthorizationListener, so you can pass jsessionid in socketio initial connection url, like: /socket.io/1/?t=1395237373472&jsessionid=
Mike-Sinistralis
commented
9 years ago This involves exposing the JSESSIONID to the client which is incredibly insecure. Is there no better way?
mrniko
commented
9 years ago @Sinistralis you need an access to httpheaders?
Mike-Sinistralis
commented
9 years ago @mrniko I'm honestly not sure. I pulled down sources and was mucking around in the AuthorizationHandler in your Netty Pipeline and it was not receiving the JSESSIONID in that request either. That might be an implementation fault on my own end though. My suspicion is that since the netty server runs on a separate port than the HTTP server, the request doesn't pass up the cookie/header, which is something I'm not sure how to work around. If that's not the case, then I'm honestly not sure what's going on. The websocket is also completely bypassing our Spring Security filters.
Mike-Sinistralis
commented
9 years ago After some more experimenting, I found a way to get context of the JSESSIONID from the HTTP request, but I'm not sure if I like it or how viable it is outside of localhost.
The JSESSIONID specifically wants a hostname and contextpath match. The port doesn't matter, so as long as you connect to the same domain and path as your spring security root, you will have context of the JSESSIONID on the AuthorizeHandler (which needs forwarded to the AuthorizationListener). This is assuming you set context for the JSESSIONID. If you have it just with the domain, then this is likely simpler?
Example:
www.domain.com/index (HTTP site root) www.domain.com:8070/index (Netty-SocketIO Server Context)
At channelRead in the AuthorizeHandler, msg will contain your JSESSIONID.
Of course now the question is how to get the context
mrniko
commented
9 years ago Of course now the question is how to get the context
Do you mean the /index part of the url or Spring Security Context?
Mike-Sinistralis
commented
9 years ago Oh no. I meant the session context since netty uses a custom http request object. I don't think this would be a job for this library. Having the http request on the SocketIOClient would be awesome though. Want me to put that together? On Jul 10, 2015 2:38 AM, "Nikita Koksharov" notifications@github.com wrote:
Of course now the question is how to get the context
Do you mean the /index part of the url?
— Reply to this email directly or view it on GitHub https://github.com/mrniko/netty-socketio/issues/110#issuecomment-120249697 .
kennywk
commented
8 years ago Has there been any updates with this? Would be nice to see a small example of how to utilize spring security with this project as it's the security cornerstone of my project.
How can we wire netty-socketio to use spring security . We need to use JSESSIONID to identify the user but how do we get the id from netty-socketio. I think netty-socketio generates its own UUID can we make it use JSESSIONID instead if so how do we do it