ws protection

3 years ago · 42ccdc3a5f
--- a/demo-client-app/src/App.js
+++ b/demo-client-app/src/App.js
@ -28,9 +28,10 @@ const connect = async (token) => {
  stomp = Stomp.over(sock);

  // disable stomp logging
  stomp.debug = (msg) => {}
  stomp.debug = (msg) => {};

  stomp.connect(
    // { "X-Authorization": token.split(".").slice(0, 2).join(".") + "alkdjalskdjals" },
    { "X-Authorization": token },
    (frame) => {
      console.log("Connected", frame);
--- a/demo-resource-server/src/main/java/ru/digitalbanana/demoresourceserver/config/WebSocketConfig.java
+++ b/demo-resource-server/src/main/java/ru/digitalbanana/demoresourceserver/config/WebSocketConfig.java
@ -4,6 +4,8 @@ import java.util.List;

 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.messaging.Message;
 import org.springframework.messaging.MessageChannel;
 import org.springframework.messaging.simp.config.ChannelRegistration;
@ -25,6 +27,7 @@ import org.springframework.web.socket.config.annotation.WebSocketTransportRegist
 * Created by dima on 8/12/16.
 */
@Configuration
@Order(Ordered.HIGHEST_PRECEDENCE + 99)
@EnableWebSocketMessageBroker
 public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {

@ -40,6 +43,10 @@ public class WebSocketConfig implements WebSocketMessageBrokerConfigurer {
                        MessageHeaderAccessor.getAccessor(message, StompHeaderAccessor.class);
                if (StompCommand.CONNECT.equals(accessor.getCommand())) {
                    List<String> authorization = accessor.getNativeHeader("X-Authorization");

                    if (authorization == null || authorization.isEmpty()) {
                        return null;
                    }
    
                    String accessToken = authorization.get(0);
                    Jwt jwt = jwtDecoder.decode(accessToken);
--- a/demo-resource-server/src/main/java/ru/digitalbanana/demoresourceserver/config/WebSocketSecurityConfig.java
+++ b/demo-resource-server/src/main/java/ru/digitalbanana/demoresourceserver/config/WebSocketSecurityConfig.java
@ -0,0 +1,22 @@
 package ru.digitalbanana.demoresourceserver.config;

 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry;
 import org.springframework.security.config.annotation.web.socket.AbstractSecurityWebSocketMessageBrokerConfigurer;

 /**
 * Simple web socket security Created by dima on 8/13/16.
 */
@Configuration
 public class WebSocketSecurityConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer {
    
    @Override
    protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
        messages.anyMessage().authenticated();
    }

    @Override
    protected boolean sameOriginDisabled() {
        return true;
    }
 }