快速使用
@Configuration
@EnableWebSocketMessageBroker
public class WebSocketSecurityConfig
extends AbstractSecurityWebSocketMessageBrokerConfigurer {
@Autowired
UserDetailsServiceImpl userDetailsService;
@Autowired
RedisTemplate<String,Object> redisTemplate;
@Override
public void registerStompEndpoints(StompEndpointRegistry registry) {
registry.addEndpoint("/ws/chat").setAllowedOriginPatterns("*").withSockJS();
}
@Override
public void configureMessageBroker(MessageBrokerRegistry registry) {
registry.enableSimpleBroker("/queue");
}
@Override
protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
messages.simpSubscribeDestMatchers("/queue").permitAll()
.simpDestMatchers("/ws/chat").permitAll();
}
@Override
protected boolean sameOriginDisabled() {
return true;
一开始继承AbstractSecurityWebSocketMessageBrokerConfigurer类之后,发现无论如何都要经过CSRF拦截,建立连接总会被拦截。经过排查代码发现此类中重写的方法如下
@Override
public final void configureClientInboundChannel(ChannelRegistration registration) {
ChannelSecurityInterceptor inboundChannelSecurity = this.context.getBean(ChannelSecurityInterceptor.class);
registration.setInterceptors(this.context.getBean(SecurityContextChannelInterceptor.class));
if (!sameOriginDisabled()) {
registration.setInterceptors(this.context.getBean(CsrfChannelInterceptor.class));
}
if (this.inboundRegistry.containsMapping()) {
registration.setInterceptors(inboundChannelSecurity);
}
customizeClientInboundChannel(registration);
}
发现sameOriginDisabled是默认写死
所以要在子类中覆写这个方法 返回true,然后就绕过了同源策略
本人这里不懂为什么要继承这个类,网上搜是可以用来做身份默认校验,但是我如果用自定义的手段,这里的代码意义就不是很大了。比如我现在token是在请求头里传过来,然后要去redis里面去找。
@Configuration
@EnableWebSocketMessageBroker
public class WebScoketConfig implements WebSocketMessageBrokerConfigurer {
@Autowired
RedisTemplate<String,Object> redisTemplate;
@Autowired
UserDetailsServiceImpl userDetailsService;
@Override
public void configureClientInboundChannel(ChannelRegistration registration) {
registration.interceptors(new ChannelInterceptor() {
@Override
public Message<?> preSend(Message<?> message, MessageChannel channel) {
StompHeaderAccessor accessor = MessageHeaderAccessor.getAccessor(message, StompHeaderAccessor.class);
if(StompCommand.CONNECT.equals(accessor.getCommand())){
System.out.println("进行验证----------------------------------------");
String token = accessor.getFirstNativeHeader("Authorization");
if (StrUtil.isBlank(token)) {
throw new PasswordExpiredException("未携带token");
}
Authentication authentication = (Authentication) redisTemplate.opsForValue().get(RedisConstant.AUTHENTICATION_CACHE_KEY_PREFIX + token);
if (ObjectUtil.isEmpty(authentication))
throw new PasswordExpiredException("token错误或失效,请重新登录");
userDetailsService.loadUserByUsername(authentication.getName());
accessor.setUser(authentication);
}
return message;
}
});
}
}
然后就可以开一个controller接口用来建立链接了
@Controller
public class UserChatController {
@Autowired
SimpMessagingTemplate messagingTemplate;
Logger logger = LoggerFactory.getLogger(UserChatController.class);
@MessageMapping("/ws/chat")
@SendTo("/queue")
public void handleChat(Authentication authentication, ChatMsg msg) {
System.out.println("执行到这里");
String name = authentication.getName();
msg.setFrom(name);
System.out.println(name);
System.out.println(msg.getTo());
messagingTemplate.convertAndSendToUser(msg.getTo(),"/queue/chat",msg);
}
}