trying to solve How to combine Spring Security and js sockjs-client, I want to implement authentication of websocket sessions running on non-authenticated https Sessions (because of sockjs-client limitation).
I am thinking along the lines of:
- on CONNECT message, pass credentials. An interceptor checks the credentials, and sets the authentication principal in a WebSocket-scoped bean. [1]
- during other requests, an interceptor checks the WebSocket-scoped bean, and sets the Authentication objects in the SecurityContext, so that ChannelSecurityInterceptor can retrieve it.
Currently I fail getting an interceptor to be called before springs ChannelSecurityInterceptor, and I am not sure WebSocket-scoped beans can be used to hold a principal.
Or should I rather use DefaultHandshakeHandler.determineUser() to set a principal based on information from the handshake request? Would that work with ChannelSecurityInterceptor?
