适用于多个用户的Spring websocket安全性

本文介绍了适用于多个用户的Spring websocket安全性的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我想在spring应用程序中使用websocket进行联系请求。我已经为用户设置了登录页面，我使用了spring security。我的问题如下：如何安全地向两个不同的用户发送Web套接字消息。

I want to use websocket in spring application for contact requests. I already have setup login page for users and I use spring security for that. My problem is following: how to securely send web socket messages to two different users.

我知道我可以用 @SendTo（）并且只能通过类似

I know that i can broadcast messages to every user subscribed to some topic with @SendTo() and can broadcast message to one user only with something like

messagingTemplate .convertAndSendToUser(principal.getName(), "/queue/requests", request);

因为他的用户名存储在本金中。

because his username is stored in principal.

我的问题是如何处理我们必须从请求中定位2个用户并使其安全，以便您无法在未经授权的情况下从客户端收听任何频道。

My problem is how to handle when we have to target 2 users from a request and make it secure so that you cant just listen to any channels from client side without being authorized.

理想情况下，我正在寻找类似

Ideally I'm looking for something like

messagingTemplate .convertAndSendToUser(request.getFromUser(), "/queue/requests", request) messagingTemplate .convertAndSendToUser(request.getToUser(), "/queue/requests", request)

推荐答案

Spring WebSocket句柄/用户频道，所以我使用那些方法

Spring WebSocket handles /user channel, so I used those methods

这就是我解决这个问题的方法：

This is how I solved this problem:

当用户使用Spring Security进行身份验证时，WebSocket模块根据他的Principal为该用户创建唯一的渠道。示例/ user / queue / position-updates已转换为/ queue / position-updates-user123

When user authenticates with Spring Security, WebSocket module creates unique channel for that user based on his Principal. Example "/user/queue/position-updates" is translated to "/queue/position-updates-user123"

所以在客户端，所有我必须做的，是订阅 / user / queue / requests

So on the client side all I had to do, was subscribe to /user/queue/requests

在服务器端，使用<$ c $向 / user / {username} / queue / requests 发送消息c> convertAndSendToUser（request.getFromUser（），/ queue / requests，request），Spring处理剩下的工作。

And on the server side, send messages to /user/{username}/queue/requests with convertAndSendToUser(request.getFromUser(), "/queue/requests", request) and Spring handles the rest.