Used this guide .
But here I am faced with the fact that I need to get the user in the controller. And I can get it from the JWT token. If everything is clear and done with the REST application and JWT, then I don’t understand how to get the user in the sockets, and in general to check that it is authorized. How to do it?
Here is the code that is available:
Socket config:
@Configuration @EnableWebSocketMessageBroker public class WebSocketConfig implements WebSocketMessageBrokerConfigurer { private final TokenUtils tokenUtils; private static final String ENDPOINT = "/websocket"; private static final String TOPIC_CHAT = "/secured/client"; private static final String TOPIC_QUEUE = "/secured/queue"; private static final String TOPIC_OPERATOR = "/secured/operator"; public WebSocketConfig(TokenUtils tokenUtils) { this.tokenUtils = tokenUtils; } @Override public void configureMessageBroker(MessageBrokerRegistry config) { config.enableSimpleBroker(TOPIC_CHAT, TOPIC_QUEUE, TOPIC_OPERATOR); config.setApplicationDestinationPrefixes("/ws"); config.setUserDestinationPrefix("/secured/user"); } @Override public void registerStompEndpoints(StompEndpointRegistry registry) { registry.addEndpoint(ENDPOINT) .setAllowedOrigins("*") .addInterceptors(new WebSocketHandshakeInterceptor()).withSockJS(); } } Sockets security config:
@Configuration public class WebSocketSecurityConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer { @Override protected boolean sameOriginDisabled() { return true; } @Override protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) { messages.simpTypeMatchers( SimpMessageType.CONNECT, SimpMessageType.DISCONNECT).permitAll().anyMessage().permitAll() .simpDestMatchers("/secured/**").authenticated().anyMessage().authenticated(); } } Security Config:
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UnauthorizedEntryPoint unauthorizedEntryPoint; @Autowired private TokenAuthenticationProvider tokenAuthenticationProvider; private static final RequestMatcher PUBLIC_URLS = new OrRequestMatcher( new AntPathRequestMatcher("/"), new AntPathRequestMatcher("/index"), new AntPathRequestMatcher("/index.html"), new AntPathRequestMatcher("/resource/**"), new AntPathRequestMatcher("/favicon.ico"), new AntPathRequestMatcher("/actuator/**"), new AntPathRequestMatcher("/h2-console/**"), new AntPathRequestMatcher("/**/favicon.ico"), new AntPathRequestMatcher("/webjars/**"), new AntPathRequestMatcher("/websocket/**"), new AntPathRequestMatcher("/api/v1/download/**"), new AntPathRequestMatcher("/api/v1/owner/auth/**"), new AntPathRequestMatcher("/api/v1/operator/auth/**") ); private static final RequestMatcher PROTECTED_URLS = new NegatedRequestMatcher(PUBLIC_URLS); @Override protected void configure(AuthenticationManagerBuilder auth) { auth.authenticationProvider(this.tokenAuthenticationProvider); } @Override public void configure(WebSecurity web) { web.ignoring().requestMatchers(PUBLIC_URLS); } @Override protected void configure(HttpSecurity http) throws Exception { http.cors().and() .csrf().disable() .formLogin().disable() .httpBasic().disable() .logout().disable(); http.headers().frameOptions().disable(); http.authorizeRequests() .requestMatchers(PUBLIC_URLS) .permitAll(); http.authorizeRequests() .antMatchers("/secured/**").authenticated(); http .sessionManagement() .sessionCreationPolicy(STATELESS) .and() .exceptionHandling() .defaultAuthenticationEntryPointFor(unauthorizedEntryPoint, PROTECTED_URLS) .and() .authenticationProvider(tokenAuthenticationProvider) .addFilterBefore(tokenAuthenticationFilter(), AnonymousAuthenticationFilter.class) .authorizeRequests() .requestMatchers(PROTECTED_URLS) .authenticated(); } @Bean TokenAuthenticationFilter tokenAuthenticationFilter() throws Exception { final TokenAuthenticationFilter filter = new TokenAuthenticationFilter(PROTECTED_URLS); filter.setAuthenticationManager(authenticationManager()); filter.setAuthenticationSuccessHandler(new AuthenticationSuccessHandler()); filter.setAuthenticationFailureHandler(new AuthenticationFailureHandler()); return filter; } @Bean public CorsConfigurationSource corsConfigurationSource() { final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); CorsConfiguration configuration = new CorsConfiguration().applyPermitDefaultValues(); configuration.addAllowedMethod(HttpMethod.PUT); configuration.addAllowedMethod(HttpMethod.DELETE); configuration.addAllowedMethod(HttpMethod.OPTIONS); source.registerCorsConfiguration("/**", configuration); return source; } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } } 