In the Spring Framework Websockets documentation, there is a general section regarding authentication. However, there is no information about authorization. That led me to implement a custom ChannelInterceptor to do authorization based on destinations.
Then, a colleague luckily pointed me to the fact that there is a Spring Security implementation for web sockets and separate documentation, and I could throw away my code (which is good in the end).
My proposal is to add a section about authorization to the Spring Framework Websockets section that explains shortly how this is done (using AbstractSecurityWebSocketMessageBrokerConfigurer) or at least add a link to the Spring Security docs.
If this makes sense to you, I could also try to provide a PR. If you have suggestions (scope, location) for the PR, please let me know.
References:
- https://docs.spring.io/spring-framework/docs/current/reference/html/web.html#websocket
- https://docs.spring.io/spring-security/site/docs/5.0.7.RELEASE/reference/html/websocket.html
Comment From: sbrannen
My proposal is to add a section about authorization to the Spring Framework Websockets section that explains shortly how this is done (using
AbstractSecurityWebSocketMessageBrokerConfigurer) or at least add a link to the Spring Security docs.
The Authentication section already contains a NOTE about Spring Security's ChannelInterceptor and Spring Session's WebSocket integration.
So, beside the fact that those links are currently broken, I think that suffices (if we fix the links), since we generally do not like to duplicate documentation from other Spring portfolio projects.
@jwedel, have you seen the NOTE I'm referring to?
Update: broken links have been fixed in 709a41fd437b7619156a7b74163ea9c5ebde1284.
Comment From: jwedel
Hi @sbrannen ,
thanks for the quick reply.
honestly, I didn’t see it. I was looking for this before I implemented the ChannelInterceptor and even again before I raised that issue.
I think the note is good and fixing the link is definitely also good.
I think my problem was, that authentication worked out of the box, so I didn’t look at the “Authentication” section in the docs.
I was specifically looking for Authorization.
One suggestion would be, to rename the section to “Authentication & Authorization”. Then it’s easier for the reader to find it when looking at the table of contents.
Comment From: sbrannen
One suggestion would be, to rename the section to “Authentication & Authorization”. Then it’s easier for the reader to find it when looking at the table of contents.
I think that's a reasonable improvement.
@rstoyanchev, are you OK with renaming that section to "Authentication and Authorization"?
Comment From: rstoyanchev
Yes, I think it's fine to do that or even provide a separate section for Authorizaiton to make it more prominent. I'll go ahead and do that.