Login/Register
Ignore WebSocket connection in Spring Security SavedRequest
Asked Answered
grailsspring-securitywebsocketatmosphere
B

1

29

I have a Grails application with spring-security-core plugin and Atmosphere framework.

If I log out from a page that has opened a WebSocket connection, then Spring Security keeps the URL of the WebSocket connection as SavedRequest.

DEBUG savedrequest.HttpSessionRequestCache  - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/formx/formX/update]
DEBUG savedrequest.HttpSessionRequestCache  - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/formx/formX/notifications/?X-Atmosphere-Transport=close&X-Atmosphere-tracking-id=b5d8fde4-d950-41fd-9b49-02e06799a36f&conversationId=988080042]

The first entry in the log has the correct value for SavedRequest, but somehow it is overwritten by the Atmosphere WebSocket connection.

How do I tell Spring Security to not use the Atmosphere WebSocket connection as SavedRequest?

I guess I can use some Atmosphere Protocol Specific Header to distinguish connections.

Bookmaker answered 21/5, 2013 at 7:27 Comment(3)
What about adding 'none'security on Atmosphere handler : <security:http><security:intercept-url pattern="/X-Atmosphere-Transport" access="none"/></security:http>Smithson
Hello, Trying to clean up unanswered. Did you solve this? Maybe you can answer your own question.Eyler
No, unfortunately I do not have solution.Bookmaker
Z
1

In Java config you can set the RequestMatcher - then it's easy.

In WebSecurityConfigurerAdapter:

protected void configure(HttpSecurity http) {
    HttpSessionRequestCache cache = new HttpSessionRequestCache(); //this one is used by default
    cache.setRequestMatcher(AnyRequestMatcher.INSTANCE); //change the request matcher, so it do not match your Atmosphere requests
    http.requestCache().requestCache(cache);
}
Zagreb answered 10/1, 2016 at 19:20 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.