I created a simple app that uses the websockets mechanism of spring 4. I use in my app an activemq broker.
In my simple test i create 10 messages for a user named "Alejando" (user/alejandro/queue/greetings)
When i log in with "Alejando" and subscribe to that queue:
stompClient.subscribe('/user/alejandro/queue/greetings', function(greeting){
showGreeting(JSON.parse(greeting.body).content);
});
I indeed receive all the 10 messages that were enqued for alejandro.
The problem is when i log in with a different user named "evilBart" and subscribe to the queue of alejandro i receive the messages as well?
How can i enforce security for that? I would like that a user can only subscribe to it's own queue.
Thanks!
my config class:
@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {
@Override
public void configureMessageBroker(MessageBrokerRegistry config) {
config.enableStompBrokerRelay("/queue/","/topic","/user/");
config.setApplicationDestinationPrefixes("/app");
}
@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
registry.addEndpoint("/hello").withSockJS();
}
}
Check this similar question: you have to authenticate the user via HTTP using Spring Security, and then send message to users using the SimpMessageTemplate.convertAndSendToUser() method.
You can take two options.
- Simply remove "/user/" from config.enableStompBrokerRelay.
Spring message will automatically prefix.
convertAndSendToUser is not for broker relay.
See org.springframework.messaging.simp.user packages source
Default user prefix is '/user/'.
You can change it with config.setUserDestinationPrefix()
2. Override two methods and handle it from ChannelInterceptor
Methods:
来源:https://stackoverflow.com/questions/23778451/spring-websocket-with-stomp-security-every-user-can-subscribe-to-any-other-use