Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Section on Authorization to STOMP WebSocket documentation #27906

Closed
jwedel opened this issue Jan 8, 2022 · 4 comments
Closed

Add Section on Authorization to STOMP WebSocket documentation #27906

jwedel opened this issue Jan 8, 2022 · 4 comments
Assignees
@rstoyanchev
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: documentation A documentation task
Milestone
5.3.15

Comments

@jwedel
Copy link

jwedel commented Jan 8, 2022
edited by sbrannen

In the Spring Framework Websockets documentation, there is a general section regarding authentication. However, there is no information about authorization. That led me to implement a custom ChannelInterceptor to do authorization based on destinations.

Then, a colleague luckily pointed me to the fact that there is a Spring Security implementation for web sockets and separate documentation, and I could throw away my code (which is good in the end).

My proposal is to add a section about authorization to the Spring Framework Websockets section that explains shortly how this is done (using AbstractSecurityWebSocketMessageBrokerConfigurer) or at least add a link to the Spring Security docs.

If this makes sense to you, I could also try to provide a PR. If you have suggestions (scope, location) for the PR, please let me know.

References:
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Jan 8, 2022
@sbrannen sbrannen added the type: documentation A documentation task label Jan 8, 2022
@sbrannen
Copy link
Member

sbrannen commented Jan 8, 2022
edited

My proposal is to add a section about authorization to the Spring Framework Websockets section that explains shortly how this is done (using AbstractSecurityWebSocketMessageBrokerConfigurer) or at least add a link to the Spring Security docs.

The Authentication section already contains a NOTE about Spring Security's ChannelInterceptor and Spring Session's WebSocket integration.

So, beside the fact that those links are currently broken, I think that suffices (if we fix the links), since we generally do not like to duplicate documentation from other Spring portfolio projects.

@jwedel, have you seen the NOTE I'm referring to?

Update: broken links have been fixed in 709a41f.

@sbrannen sbrannen added status: waiting-for-feedback We need additional information before we can continue in: web Issues in web modules (web, webmvc, webflux, websocket) labels Jan 8, 2022
@jwedel
Copy link
Author

jwedel commented Jan 8, 2022
edited

Hi @sbrannen ,

thanks for the quick reply.

honestly, I didn’t see it. I was looking for this before I implemented the ChannelInterceptor and even again before I raised that issue.

I think the note is good and fixing the link is definitely also good.

I think my problem was, that authentication worked out of the box, so I didn’t look at the “Authentication” section in the docs.

I was specifically looking for Authorization.

One suggestion would be, to rename the section to “Authentication & Authorization”. Then it’s easier for the reader to find it when looking at the table of contents.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 8, 2022
@sbrannen
Copy link
Member

sbrannen commented Jan 8, 2022

One suggestion would be, to rename the section to “Authentication & Authorization”. Then it’s easier for the reader to find it when looking at the table of contents.

I think that's a reasonable improvement.

@rstoyanchev, are you OK with renaming that section to "Authentication and Authorization"?

@rstoyanchev
Copy link
Contributor

Yes, I think it's fine to do that or even provide a separate section for Authorizaiton to make it more prominent. I'll go ahead and do that.

@rstoyanchev rstoyanchev removed status: waiting-for-triage An issue we've not yet triaged or decided on status: feedback-provided Feedback has been provided labels Jan 10, 2022
@rstoyanchev rstoyanchev self-assigned this Jan 10, 2022
@rstoyanchev rstoyanchev added this to the 5.3.15 milestone Jan 10, 2022
@rstoyanchev rstoyanchev changed the title Add Section about Spring Security Websockets Authorization in Spring Framework Websockets section Add Section on Authorization to STOMP WebSocket documentation Jan 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: documentation A documentation task
Projects
None yet
Milestone
5.3.15
Development

No branches or pull requests
4 participants
@sbrannen @rstoyanchev @jwedel @spring-projects-issues