I want to use websockets (sockJS with Stomp) in a Spring boot app that has token based authentication through Json Web Token (JWT). On the server there is a filter that validates the JWT token.This token is sent the request headers but the SockJS client api, does not support headers. This means that, when the SockJS client api tries to do the websocket handshake with the server, like for example:
new SockJS("http://localhost:8080/websocket")
the HTTP request will be intercepted by the JWT authorization filter and the handshake will fail because there are no headers on the request, and hence, request will be rejected by the filter. I have seen several workarounds proposed in forums, but none of them seem to be adequate to this scenario:
- HandshakeInterceptor: this solution does not work because filters always execute before interceptors.
- Sending authentication header on STOMP headers also does not work because STOMP connect occurs after the handshake, naturally.
I found out here that its possible to send the token on the SockJS handshake URL via query parameters and I would have to change the authentication filter to also look for query parameters, instead of just the headers. I don't really like this solution of sending the token on query parameters, for security reasons. Is there a better alternative or is this really the best possible approach?
