Spring Security "Token-based Authentication" for SockJS / STOMP Web Socket

Question

I'm trying to implement token-based auth, according to https://github.com/spring-projects/spring-framework/blob/master/src/docs/asciidoc/web/web-websocket.adoc#token-based-authentication.

I'm using Basic Auth for my HTTP request, so Spring returns a x-auth-token after a successful authentication. I'm adding this token to STOMP CONNECT command.

@Configuration
@EnableWebSocketMessageBroker
public class MyConfig extends AbstractWebSocketMessageBrokerConfigurer {

  @Override
  public void configureClientInboundChannel(ChannelRegistration registration) {
    registration.setInterceptors(new ChannelInterceptorAdapter() {

        @Override
        public Message<?> preSend(Message<?> message, MessageChannel channel) {

            StompHeaderAccessor accessor =
                MessageHeaderAccessor.getAccessor(message, StompHeaderAccessor.class);

            if (StompCommand.CONNECT.equals(accessor.getCommand())) {
                String authToken = accessor.getFirstNativeHeader("X-Auth-Token");
                log.debug("webSocket token is {}", authToken);
                Principal user = ... ; // access authentication header(s)
                accessor.setUser(user);
            }

            return message;
        }
    });
  }
}

However, I'm totally lost how I would do at "Principal user = ... ;". How would I get Principle with the token? Could any one shed some light?

Possible duplicate of [Websocket Authentication and Authorization in Spring](https://stackoverflow.com/questions/45405332/websocket-authentication-and-authorization-in-spring) — Anthony Raymond, Aug 14 '17 at 09:20

score 2 · Answer 1 · answered Apr 20 '17 at 13:28

OPTION A

If your Websocket CONNECT Endpoint is Spring secured, you should be able to get the Principal (aka User), by calling Authentication auth = SecurityContextHolder.getContext().getAuthentication();. From there, you would call auth.getPrincipal()

OPTION B

I personnaly use JWT as my token based auth system. I have a custom JWTService in which I have a method to get the user from the token

public Authentication getAuthenticationFromToken(String token) {
    if (token != null) {
        UserDetails user = getUserFromToken(token);

        if (user != null)
            return new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
    }

    return null;
}

public UserDetails getUserFromToken(String token) {
    Jws<Claims> jws = Jwts.parser()
            .requireIssuer("myIssuer")
            .setSigningKey("myBase64Secret==")
            .parseClaimsJws(token);

    String username = jws.getBody().getSubject();
    return userDetailsService.loadUserByUsername(username);
}

The library I use for JWT is https://github.com/jwtk/jjwt

This tutorial could also help you setup JWT https://www.toptal.com/java/rest-security-with-jwt-spring-security-and-java

I want to implement machine to backend web socket authentication and authorization, there are no user Principle, then how can I proceed? — Amit, Aug 31 '17 at 04:58
Also, have a look at this: https://robertleggett.wordpress.com/2015/05/27/websockets-with-spring-spring-security/ — Marc, Nov 07 '17 at 12:54

Spring Security "Token-based Authentication" for SockJS / STOMP Web Socket

1 Answers1