Skip to content

Commit 01231fe

Browse files
rstoyanchevrstoyanchev
committed
Minor refactoring in STOMP documentation
Closes gh-27906
1 parent 7665424 commit 01231fe

File tree

1 file changed

+17
-13
lines changed

1 file changed

+17
-13
lines changed

src/docs/asciidoc/web/websocket.adoc

Lines changed: 17 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1724,19 +1724,11 @@ HTTP session (which is then associated with WebSocket or SockJS sessions created
17241724
for that user) and results in a user header being stamped on every `Message` flowing
17251725
through the application.
17261726

1727-
Note that the STOMP protocol does have `login` and `passcode` headers
1728-
on the `CONNECT` frame. Those were originally designed for and are still needed,
1729-
for example, for STOMP over TCP. However, for STOMP over WebSocket, by default,
1730-
Spring ignores authorization headers at the STOMP protocol level, assumes that
1731-
the user is already authenticated at the HTTP transport level, and expects that
1732-
the WebSocket or SockJS session contain the authenticated user.
1733-
1734-
NOTE: Spring Security provides
1735-
https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
1736-
that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
1737-
Also, Spring Session provides
1738-
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
1739-
that ensures the user's HTTP session does not expire while the WebSocket session is still active.
1727+
The STOMP protocol does have `login` and `passcode` headers on the `CONNECT` frame.
1728+
Those were originally designed for and are needed for STOMP over TCP. However, for STOMP
1729+
over WebSocket, by default, Spring ignores authentication headers at the STOMP protocol
1730+
level, and assumes that the user is already authenticated at the HTTP transport level.
1731+
The expectation is that the WebSocket or SockJS session contain the authenticated user.
17401732

17411733

17421734

@@ -1814,6 +1806,18 @@ its own implementation of `WebSocketMessageBrokerConfigurer` that is marked with
18141806

18151807

18161808

1809+
[[websocket-stomp-authorization]]
1810+
=== Authorization
1811+
1812+
Spring Security provides
1813+
https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
1814+
that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
1815+
Also, Spring Session provides
1816+
https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
1817+
that ensures the user's HTTP session does not expire while the WebSocket session is still active.
1818+
1819+
1820+
18171821
[[websocket-stomp-user-destination]]
18181822
=== User Destinations
18191823

0 commit comments

Comments
 (0)