1. 首页
  2. 问答
  3. SockJS/STOMP Web Socket的Spring Security“基于令牌的身份验证”

SockJS/STOMP Web Socket的Spring Security“基于令牌的身份验证”

2017-04-18 177 views
0

我试图根据https://github.com/spring-projects/spring-framework/blob/master/src/docs/asciidoc/web/web-websocket.adoc#token-based-authentication实现基于令牌的身份验证。SockJS/STOMP Web Socket的Spring Security“基于令牌的身份验证”

我对我的HTTP请求使用基本身份验证,所以Spring在成功身份验证后返回x-auth令牌。我将此令牌添加到STOMP CONNECT命令。

@Configuration 
@EnableWebSocketMessageBroker 
public class MyConfig extends AbstractWebSocketMessageBrokerConfigurer { 

    @Override 
    public void configureClientInboundChannel(ChannelRegistration registration) { 
    registration.setInterceptors(new ChannelInterceptorAdapter() { 

     @Override 
     public Message<?> preSend(Message<?> message, MessageChannel channel) { 

      StompHeaderAccessor accessor = 
       MessageHeaderAccessor.getAccessor(message, StompHeaderAccessor.class); 

      if (StompCommand.CONNECT.equals(accessor.getCommand())) { 
       String authToken = accessor.getFirstNativeHeader("X-Auth-Token"); 
       log.debug("webSocket token is {}", authToken); 
       Principal user = ... ; // access authentication header(s) 
       accessor.setUser(user); 
      } 

      return message; 
     } 
    }); 
    } 
}

但是,我完全失去了我将在“Principal user = ...;”上做的事情。我如何用令牌获得原则?任何人都可以点亮一下吗?

来源

2017-04-18 Jaime

+0

可能在[Spring中的Websocket身份验证和授权]的副本(https://stackoverflow.com/questions/45405332/websocket-authentication-and-authorization-in-spring) –

回答

0

选项A

如果您的WebSocket CONNECT端点是春天确保,你应该能够得到校长(又名用户),通过调用Authentication auth = SecurityContextHolder.getContext().getAuthentication();。从那里,你会打电话auth.getPrincipal()

选项B

我personnaly使用JWT为我的基于令牌的身份验证系统。我有,我有一个方法,从我使用的JWT令牌

public Authentication getAuthenticationFromToken(String token) { 
    if (token != null) { 
     UserDetails user = getUserFromToken(token); 

     if (user != null) 
      return new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities()); 
    } 

    return null; 
} 

public UserDetails getUserFromToken(String token) { 
    Jws<Claims> jws = Jwts.parser() 
      .requireIssuer("myIssuer") 
      .setSigningKey("myBase64Secret==") 
      .parseClaimsJws(token); 

    String username = jws.getBody().getSubject(); 
    return userDetailsService.loadUserByUsername(username); 
}

库得到了用户自定义JWTService是https://github.com/jwtk/jjwt

本教程还可以帮助你建立JWT https://www.toptal.com/java/rest-security-with-jwt-spring-security-and-java

来源

2017-04-20 13:28:42 Philippe

+0

我想实现机器后端Web套接字身份验证和授权,那里没有用户原则,那我该怎么办? – Amit

+0

另外,看看这个:https://robertleggett.wordpress.com/2015/05/27/websockets-with-spring-spring-security/ – Marc

相关问题

 相关问题