I have a spring security application that works happily with REST, using token based authentication ( token is in the header of each REST request).
I'm trying to add websockets as well, however my configuration that secures the REST requires seems to completely break Websockets.
Here's the configuration.
protected void configure(final HttpSecurity http) throws Exception {
http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.headers().frameOptions().sameOrigin()
.and()
.authorizeRequests()
.anyRequest().authenticated()
.and()
.anonymous().disable()
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint());
http.addFilterBefore(authenticationTokenFilter(), BasicAuthenticationFilter.class);
}
Now, this configuration works fine for the REST requests, but not for Websockets (they work fine if I comment out this security stuff).
I've added breakpoints to the filter and the security token never appears in the header. However using wireshark I've confirmed that it is being sent.
Any ideas?
Aucun commentaire:
Enregistrer un commentaire