有人可以建议如何使用Spring Security框架保护Web套接字端点吗?
我有一个使用Spring Security保护的应用程序。 其中一个端点是Web套接字。 在Web套接字处理程序内部,我需要对连接到Web套接字的用户进行身份验证。 具体来说,我需要获取userid和zone / tenant id。
如果我在spring-security.xml中使用标签 sec:http 表示websocket端点(请参阅下面的文件),这会触发登录,然后在网络套接字的 @onOpen中(会话会话)处理程序 当我调用 session.getUserPrincipal()时,返回的主体内部有一个正确的用户名。
但是我还需要区域/租户ID信息。
我正在尝试使用 SecurityContextHolder.getContext()。getAuthentication(),它应包含它,但调用返回null。 显然, sec:http 不会导致为Web套接字请求创建身份验证对象。
我被提到了
http://docs.spring.io/autorepo/docs/spring-security/4.1.x/reference/html/websocket.html
似乎建议要为websocket端点获取带有区域信息的身份验证器,我需要将以下部分添加到spring-security.xml:
<sec:websocket-message-broker>
<sec:intercept-message pattern="/WebSocket.svc" access="isAuthenticated()" />
</sec:websocket-message-broker>
然而,当我添加它并尝试启动应用程序时,它会失败,并带有以下回溯/消息:
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Security namespace does not support decoration of element [websocket-message-broker]
Offending resource: ServletContext resource [/WEB-INF/spring-security.xml]
at org.springframework.beans.factory.parsing.FailFastProblemReporter.fatal(FailFastProblemReporter.java:60) ~[spring-beans-4.3.1.RELEASE.jar:4.3.1.RELEASE]
at org.springframework.beans.factory.parsing.ReaderContext.fatal(ReaderContext.java:68) ~[spring-beans-4.3.1.RELEASE.jar:4.3.1.RELEASE]
at org.springframework.beans.factory.parsing.ReaderContext.fatal(ReaderContext.java:55) ~[spring-beans-4.3.1.RELEASE.jar:4.3.1.RELEASE]
at org.springframework.security.config.SecurityNamespaceHandler.reportUnsupportedNodeType(SecurityNamespaceHandler.java:144) ~[spring-security-config-4.1.2.RELEASE.jar:4.1.2.RELEASE]
我正在使用Spring Security 4.1.2和4.3.1作为主Spring。
从Spring文档中还不清楚 sec:websocket-message-broker 和 sec:http 是否应该与Web套接字端点一起使用或者是互斥的
感谢您的建议。
塞吉
P.S。我的spring-security.xml看起来像这样:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:websocket="http://www.springframework.org/schema/websocket"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.1.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">
<sec:http pattern="/Consumer.svc/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
authentication-manager-ref="authenticationManager"
use-expressions="true">
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/Consumer.svc/**" access="isAuthenticated()" />
<sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:http pattern="/WebSocket.svc" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
authentication-manager-ref="authenticationManager"
use-expressions="true">
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/WebSocket.svc" access="isAuthenticated()" />
<sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:websocket-message-broker>
<sec:intercept-message pattern="/WebSocket.svc" access="isAuthenticated()" />
</sec:websocket-message-broker>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
</bean>
<bean id="oauthWebExpressionHandler"
class="org.springframework.security.oauth2.provider.expression.OAuth2WebSecurityExpressionHandler">
</bean>
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.UnanimousBased">
<constructor-arg>
<list>
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="oauthWebExpressionHandler" />
</bean>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
<sec:authentication-manager alias="authenticationManager"/>
<oauth:resource-server id="resourceServerFilter"
resource-id="springsec" token-services-ref="offlineTokenServices" />
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<!-- ... also some other elements here ... -->
</beans>
答案 0 :(得分:0)
有必要将以下内容添加到pom.xml:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-messaging</artifactId>
<version>4.1.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-messaging</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-websocket</artifactId>
<version>${spring.version}</version>
</dependency>
这是spring-security.xml:
<bean id="springSecurityMessagePathMatcher"
class="org.springframework.util.AntPathMatcher"/>
现在Spring在启动时不会抛出异常并解析spring-security.xml,但它也不起作用。 SecurityContextHolder.getContext()。getAuthentication()仍然返回null。