Ignore WebSocket connection in Spring Security SavedRequest

Question

I have a Grails application with spring-security-core plugin and Atmosphere framework.

If I log out from a page that has opened a WebSocket connection, then Spring Security keeps the URL of the WebSocket connection as SavedRequest.

DEBUG savedrequest.HttpSessionRequestCache  - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/formx/formX/update]
DEBUG savedrequest.HttpSessionRequestCache  - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/formx/formX/notifications/?X-Atmosphere-Transport=close&X-Atmosphere-tracking-id=b5d8fde4-d950-41fd-9b49-02e06799a36f&conversationId=988080042]

The first entry in the log has the correct value for SavedRequest, but somehow it is overwritten by the Atmosphere WebSocket connection.

How do I tell Spring Security to not use the Atmosphere WebSocket connection as SavedRequest?

I guess I can use some Atmosphere Protocol Specific Header to distinguish connections.

Hello, Trying to clean up unanswered. Did you solve this? Maybe you can answer your own question. — Neoryder, Oct 23 '15 at 12:40

score 1 · Answer 1 · answered Jan 10 '16 at 19:20

In Java config you can set the RequestMatcher - then it's easy.

In WebSecurityConfigurerAdapter:

protected void configure(HttpSecurity http) {
    HttpSessionRequestCache cache = new HttpSessionRequestCache(); //this one is used by default
    cache.setRequestMatcher(AnyRequestMatcher.INSTANCE); //change the request matcher, so it do not match your Atmosphere requests
    http.requestCache().requestCache(cache);
}

Ignore WebSocket connection in Spring Security SavedRequest

1 Answers1