client-side stomp authentication headers are passed to the message broker [SPR-11154] #15781
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: enhancement
A general enhancement
Milestone
zyro opened SPR-11154 and commented
environment: using rabbitmq with its stomp plugin and default configuration as message broker impl.
if i understand correctly how the stomp client registration currently works, it should never be necessary that a (web-) user sends stomp authentication headers ("login"/"passcode") in a websocket message?
the behavior that i am currently seeing is:
--> even if #3 works, that does mean a client is able to "knock" at the message brokers stomp authentication (#1).
--> also, i guess #3 does just work because the rabbitmq default configuration defines a "default_user" (guest/guest) that is used if login/passcode are omitted.
--> shouldnt the configured StompBrokerRelayRegistration.applicationLogin and StompBrokerRelayRegistration.applicationPasscode be used for a users CONNECT-frame as well?
Affects: 4.0 RC2
Issue Links:
Referenced from: commits 4e5e700
The text was updated successfully, but these errors were encountered: