I created a simple application that uses the spring 4 websockets mechanism. I use activemq broker in my application.
In my simple test, I create 10 posts for a user named Alejando (user / alejandro / queue / greetings)
When I log in with Alejando and subscribe to this queue:
stompClient.subscribe('/user/alejandro/queue/greetings', function(greeting){ showGreeting(JSON.parse(greeting.body).content); });
I really get all 10 posts that were submitted for alejandro.
The problem is that I am logging in with another user named "evilBart" and subscribed to the alejandro queue, also getting messages?
How can I provide security for this? I would like the user to be able to subscribe only to their own queue.
Thanks!
my configuration class:
@Configuration @EnableWebSocketMessageBroker public class WebSocketConfig extends AbstractWebSocketMessageBrokerConfigurer { @Override public void configureMessageBroker(MessageBrokerRegistry config) { config.enableStompBrokerRelay("/queue/","/topic","/user/"); config.setApplicationDestinationPrefixes("/app"); } @Override public void registerStompEndpoints(StompEndpointRegistry registry) { registry.addEndpoint("/hello").withSockJS(); } }
java spring spring-security websocket stomp
Urbanban
source share