Allow setting principal on connect [SPR-11228]

[spring-projects-issues]

Jean-Baptiste Nizet opened SPR-11228 and commented

I have a Spring MVC restful app that doesn't use Spring security, but uses a HandlerInterceptor to extract a token from a security cookie and gets the current user information thanks to this token.

The current user is then stored inside a request-scoped Spring bean (currentUser) and injected in every controller or service which needs access to the current user.

This works beautifully, until we add websockets to the mix. Indeed, the request-scoped bean is not usable from inside a method annotated with @MessageMapping, and the only way (that I know of) to have the current user accessible from this method is, AFAIK, to use a filter instead of an interceptor and to wrap the HTTP request so that getUserPrincipal() returns the current user.

It would be really helpful to

• be able to provide a callback method when the connect message is received by the server, and be able to associate a Principal (other than the one returned by ServletRequest.getUserPrincipal()) to the socket session from this callback method
• be able, from this callback method, to use the login and passcode sent with the connect message, or a cookie, in case HTTP authentication is not used
• [UPDATE: this bullet is now superceded by Provide a websocket scope [SPR-11305] #15929] provide a websocket scope, which would work as the HTTP request and session scopes, but would last only for the duration of the web socket session. The callback could then initialize some beans in this scope, and the various @MessageMapping method could read and modify beans from this scope, maintaining some sort of conversation state linked to the websocket session. An alternative would be to maintain the request scope alive until the websocket session is closed, to be able to use the same request-scoped currentUser bean both in @RequestMapping and @MessageMapping methods.

Sorry if I missed something from the documentation or even from the way this all works: I've only been playing with this for a few days.

---

Affects: 4.0 GA

Issue Links:

• Provide a websocket scope [SPR-11305] #15929 Provide a websocket scope

Referenced from: commits a5c3143

0 votes, 6 watchers

[spring-projects-issues]

Rossen Stoyanchev commented

We can consider extension points to expose the initialization of the WebSocket session.

Regarding WebSocket scope, it is a little trickier to implement and support throughout considering the asynchronous nature of message processing in the context of a message handling flow.

I'm wondering whether it wouldn't be better to provide a way to access session-specific attributes via annotated method arguments? Much like we support method arguments of type Principal for access to the user associated with a session, but a more generalized way of accessing attributes?

[spring-projects-issues]

Jean-Baptiste Nizet commented

An extension point, and a way to set and get attributes to the WebSocket session, would already be a great first step.

Regarding the scope, I was thinking about handling the WebSocket session in a similar way as the standard HTTP session: be able to put, get and remove arbitrary attributes indexed by name in the WebSocketSession.

When a MessageMapping-annotated method would be invoked, the associated WebSocket session would be stored in a ThreadLocal variable, just like it's done for the HTTP request scope with RequestContextHolder. Any method invoked from the same thread would thus be able to access the WebSocket session attributes thanks to the "WebSocketContextHolder" ThreadLocal, and a custom scope could be implemented in a similar way as the RequestScope.

This would provide a programming model which would be almost identical to the classical Spring-MVC model. An extension point for the initialization would still be necessary to transfer attributes from the request scope (like the principal, or any other value), to the WebSocket session scope.

[spring-projects-issues]

Juergen Hoeller commented

This sounds more like a 4.1 feature than a 4.0.1 issue to me, in particular since we have 4.1 RC1 planned for the first half of this year anyway... and 4.0.1 coming up rather soon, with quite a few things to sort out still.

Juergen

[spring-projects-issues]

Rossen Stoyanchev commented

An extension point, and a way to set and get attributes to the WebSocket session, would already be a great first step.

I am going to split this into two tickets. The "first step" we could do now. The websocket scope changes are indeed a bit more involved and better suited for 4.1, which is indeed in the first half of this year so not so far away.

[spring-projects-issues]

Rossen Stoyanchev commented

Updated title (removing websocket scope) and created #15929 for the websocket scope.

[spring-projects-issues]

Rossen Stoyanchev commented

There is now a hook for customizing the user for a WebSocket session. See this commit.

[spring-projects-issues]

Jean-Baptiste Nizet commented

This looks great. But I'm a bit lost: how would you configure an application, using JavaConfig, to use a custom subclass of DefaultHandshakeHandler overriding the determineUser()?

@Configuration
@EnableWebMvc
@EnableWebSocketMessageBroker
public class AppConfig extends WebMvcConfigurerAdapter implements WebSocketMessageBrokerConfigurer {
    // what to add here to use a custom DefaultHandshakeHandler?

    // ...
}

[spring-projects-issues]

Rossen Stoyanchev commented

Hi both the Java config and XML namespace allow providing a HandshakeHandler, e.g.:

@Configuration
@EnableWebSocketMessageBroker
public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer {

    @Override
    public void registerStompEndpoints(StompEndpointRegistry registry) {
        registry.addEndpoint("/portfolio")
            .setHandshakeHandler(new MyHandshakeHandler()).withSockJS();
    }

    // ...
}