我正在实现avax.websocket来更新我的应用程序中的消息计数 .
我想保护websocket endpoints ,我在web.xml和weblogic.xml中使用了下面的内容,但它没有用 . 之后我尝试使用自定义ServerEndpointConfig.Configurator,现在我能够在登录到我的应用程序后进行连接 . 但是会话在请求中是空的 .
在web.xml中进行身份验证
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
id="WebApp_ID" version="3.1">
<display-name>WebSocketPrj</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>simple web resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>TestUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>Basic</auth-method>
<realm-name>file</realm-name>
</login-config>
<security-role>
<role-name>TestUser</role-name>
</security-role>
</web-app>
weblogc.xml
<?xml version='1.0' encoding='UTF-8'?>
<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd">
<security-role-assignment>
<role-name>TestUser</role-name>
<principal-name>TestUser</principal-name>
</security-role-assignment>
<container-descriptor></container-descriptor>
</weblogic-web-app>
在web.xml中没有安全性约束且没有weblogic.xml
public class WebSocketConfigurator extends ServerEndpointConfig.Configurator{
private static final String ORIGIN = "http://localhost:7001";
@Override
public boolean checkOrigin(String originHeaderValue) {
return ORIGIN.equals(originHeaderValue);
}
@Override
public void modifyHandshake(ServerEndpointConfig config, HandshakeRequest request, HandshakeResponse response) {
HttpSession httpSession = (HttpSession) request.getHttpSession();
super.modifyHandshake(config, request, response);
if (httpSession == null) {
httpSession = (HttpSession) request.getHttpSession();
}
if (httpSession == null) {
return;
}
config.getUserProperties().put("httpSession", httpSession);
httpSession = (HttpSession) request.getHttpSession();
}
}
@ServerEndpoint(value =“/ messageCount”,configurator = WebSocketConfigurator.class)public class NotificationSocket {private static final Logger logger = LoggerFactory.getLogger(NotificationSocket.class);
private Session wsSession;
private HttpSession httpSession;
/**
*
* @param session
*/
@OnOpen
public void onOpen(Session session, EndpointConfig config){
}
/**
*
*/
@OnClose
public void onClose(){
// implementation not needed
}
/**
*
* @param session
* @param throwable
*/
@OnError
public void error(Session session,Throwable throwable){
// implementation not needed
}
/**
*
* @param user
* @param session
*/
@OnMessage
public void handleMessage(final String user, final Session session) {
synchronized (session) {
int count = 10;
session.getAsyncRemote().sendText("" + count);
}
}
}
我有登录页面,在登录welcomauth.jsp后我调用下面的websocket:以下是我的javascript客户端:
var webSocket = new WebSocket("ws://localhost:7001/messageCount");
webSocket.onopen=function(){
webSocket.send('Message');
}
我不希望在modifyhandshake中从客户端传递用户信息我想要获取登录的用户会话然后验证用户是否存在然后打开连接else throw异常 . (比如throw new RuntimeException(“Not authenticated”))
I am calling websocket after login to the application . 有没有办法在websocket连接之前检查身份验证(即@OnOpen)?
1 回答
我解决了我们需要添加一个servlet过滤器并添加与websocket serverendpoint相同的url模式 .
在Servlet过滤器中添加身份验证逻辑 . 因此,当调用websocket url时,它将命中过滤器并验证身份验证 .