In our spring application most of the controllers are protected with oauth security. Websockets are behind basic. Before accessing websocket logged user asks for username and hashed password for websocket connection. Both are going to be generated, but for now for testing purposes it always returns the same creditentials.
URL for info looks as follows:
https://user:debaee4affbeaba909a184066981d55a@localhost:8000/project-name/chat/info
WebSocket is opened properly. We can send few messages and they go trough broker and are displayed to the users. Here's request info from chrome tools:
Remote Address:127.0.0.1:8000
Request URL:https://benny:debaee4affbeaba909a184066981d55a@localhost:8000/project-name/chat/033/7szz8k_f/xhr_send
Request Method:POST
Status Code:204 No Content
Response Headers:
HTTP/1.1 204 No Content
server: Apache-Coyote/1.1
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
strict-transport-security: max-age=31536000 ; includeSubDomains
x-frame-options: DENY
access-control-allow-origin: https://localhost:8000
access-control-allow-credentials: true
vary: Origin
content-type: text/plain;charset=UTF-8
date: Mon, 15 Jun 2015 08:22:43 GMT
Connection: keep-alive
Request Headers:
POST /project-name/chat/033/7szz8k_f/xhr_send HTTP/1.1
Host: localhost:8000
Connection: keep-alive
Content-Length: 143
Origin: https://localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Referer: https://localhost:8000/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,pl;q=0.6
Cookie: JSESSIONID=FF967D3DD1247C1D572C15CF8A3D5E8E; i18next=en; language=pl; tmhDynamicLocale.locale=%22pl-pl%22
["SEND\npriority:9\ndestination:/random/chat/1/FUNNY\ncontent-length:49\n\n{\"message\":\"sfsdf\",\"display\":\"The great wizard.\"}\u0000"]
But after a minute or so when sending another request we get 404 response. It doesn't matter if any SEND requests were issued before. We can write 50+ messages in that time span and then we get 404.
Sample 404 request data follows:
Remote Address:127.0.0.1:8000
Request URL:https://hill:debaee4affbeaba909a184066981d55a@localhost:8000/project-name/chat/033/7szz8k_f/xhr_send
Request Method:POST
Status Code:404 Not Found
Response Headers:
HTTP/1.1 404 Not Found
server: Apache-Coyote/1.1
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
strict-transport-security: max-age=31536000 ; includeSubDomains
x-frame-options: DENY
content-length: 0
date: Mon, 15 Jun 2015 08:24:17 GMT
Connection: keep-alive
Request Headers:
POST /project-name/chat/033/7szz8k_f/xhr_send HTTP/1.1
Host: localhost:8000
Connection: keep-alive
Content-Length: 143
Origin: https://localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Referer: https://localhost:8000/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,pl;q=0.6
Cookie: JSESSIONID=FF967D3DD1247C1D572C15CF8A3D5E8E; i18next=en; language=pl; tmhDynamicLocale.locale=%22pl-pl%22
Request Payload:
["SEND\npriority:9\ndestination:/random/chat/1/FUNNY\ncontent-length:49\n\n{\"message\":\"yhgfh\",\"username\":\"The great wizard.\"}\u0000"]
When setting up stomp we setup function to react onclose:
socket.client = new SockJS(targetUrl);
socket.stomp = Stomp.over(socket.client);
socket.stomp.connect({}, startListener);
socket.stomp.onclose = reconnect;
With reconnect function looking as this(it's in AngularJS):
var reconnect = function() {
$log.debug('Reconnect called');
$timeout(function() {
initialize();
}, this.RECONNECT_TIMEOUT);
};
But the function is never called.
Controller for Chat is pretty simple:
@Controller
public class StageChatController {
@Inject
private SimpMessagingTemplate template;
@Inject
private ChatMessageRepository chatMessageRepository;
@MessageMapping("/chat/{channel}/{type}")
public void sendMessage(@DestinationVariable Long channel, @DestinationVariable ChatType type, ChatMessageDto message) {
ChatMessage chatMessage = new ChatMessage();
chatMessage.setDatestamp(LocalDateTime.now());
chatMessage.setMessage(message.getMessage());
chatMessage.setChannelId(channel);
chatMessage.setChatType(type);
chatMessage.setDisplayName(message.getDisplay());
chatMessage = this.chatMessageRepository.save(chatMessage);
this.template.convertAndSend("/channel/" + project + "/" + type, chatMessage);
}
Security for chat overrides oauth security for chat urls:
@Configuration
@EnableWebSecurity
@Order(2)
static class BasicAccessConfig extends WebSecurityConfigurerAdapter {
@Inject
private OAuth2ClientContextFilter oauth2ClientContextFilter;
@Value("${project.name.chat.token}")
private String chat_token;
@Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http
.requestMatcher(new AntPathRequestMatcher("/chat/**/*"))
.authorizeRequests().anyRequest().authenticated()
.and()
.httpBasic()
.and()
.anonymous().disable()
.csrf().disable()
.addFilterBefore(this.oauth2ClientContextFilter, SecurityContextPersistenceFilter.class);
;
//@formatter:on
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/assets/**");
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("hill").password(this.chat_token).authorities("read_chat");
}
}