Open jasonrichdarmawan opened 3 years ago
Hi @jasonrichdarmawan,
Have you tried creating a DelegatingHttpSessionIdResolver
that could try to resolve the session id from the cookie, and, if not present, try to resolve it from the HTTP header? Something like:
public class DelegatingHttpSessionIdResolver implements HttpSessionIdResolver {
CookieHttpSessionIdResolver cookieResolver = new CookieHttpSessionIdResolver();
HeaderHttpSessionIdResolver headerResolver = HeaderHttpSessionIdResolver.xAuthToken();
@Override
public List<String> resolveSessionIds(HttpServletRequest request) {
List<String> cookieSessionIds = this.cookieResolver.resolveSessionIds(request);
if (cookieSessionIds == null || cookieSessionIds.isEmpty()) {
return this.headerResolver.resolveSessionIds(request);
}
}
// ...
}
Expected Behavior
The Spring Session should authenticate session by getting the
X-Auth-Token
header's value for the WebSocket endpoint. Currently, only REST endpoint that authenticates session if theX-Auth-Token
header is present.Current Behavior
The Spring Session ignores the
X-Auth-Token
header for the WebSocket endpoint in CONNECT frame. This issue causes every WebSocket connection to be anoymous.e.g in REST endpoint
User send request to GET /helloworld with
X-Auth-Token
header. The server recognize the token and return the response with body "Hello World"e.g in WebSocket endpoint
X-Auth-Token
. But currently there is no way to retrieve the Principal from theX-Auth-Token
, so every request is an anonymousUser.Client is written in JavaScript and use STOMP
The current Spring Session docs to override HttpSession implementation does not explain how to use the
X-Auth-Token
for the WebSocket. In fact, because theCookie-based authentication
is disabled after overriding the HttpSession implementation, there is no way to authenticate user for the WebSocket endpoint using the HttpSession.To provide session in
X-Auth-Token
header, you can override the HttpSession with an annotationContext
How has this issue affected you? This is an issue because if you use annotation
@EnableRedisHttpSession
both Browser and Mobile Apps can't authenticate when connecting to a WebSocket endpoint. By default, Spring Security provides you withCookie-based authentication
and Spring can authenticate both for REST endpoint and WebSocket endpoint because theCookie
e.gJSESSIONID
/SESSION
andXSRF-TOKEN
is always there for each HTTP handshake, including the HTTP handshake for the WebSocket connection.What are you trying to accomplish? Get the Principal by using the
X-Auth-Token
header's valueWhat other alternatives have you considered? Use JWT
Are you aware of any workarounds? As per my knowledge about HttpSession, currently there is no workarounds