client-side stomp authentication headers are passed to the message broker [SPR-11154] #15781
Assignees
Labels
in: web
Issues in web modules (web, webmvc, webflux, websocket)
type: enhancement
A general enhancement
Milestone
Comments
|
Rossen Stoyanchev commented Currently we have systemLogin/Password fields in the broker relay, which are used for the shared "system" connection used to send messages from the within the (server-side) application. We can add applicationLogin/Password properties and set them if client CONNECT frames don't already have such headers. Does that seem reasonable? |
|
zyro commented applicationLogin/Passcode sounds good. but i would suggest that these settings do - if they are set - override the corresponding headers on a message incoming from a websocket client. |
|
Rossen Stoyanchev commented See commit 4e5e70. |
spring-projects-issues
added
type: enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
zyro opened SPR-11154 and commented
environment: using rabbitmq with its stomp plugin and default configuration as message broker impl.
if i understand correctly how the stomp client registration currently works, it should never be necessary that a (web-) user sends stomp authentication headers ("login"/"passcode") in a websocket message?
the behavior that i am currently seeing is:
--> even if #3 works, that does mean a client is able to "knock" at the message brokers stomp authentication (#1).
--> also, i guess #3 does just work because the rabbitmq default configuration defines a "default_user" (guest/guest) that is used if login/passcode are omitted.
--> shouldnt the configured StompBrokerRelayRegistration.applicationLogin and StompBrokerRelayRegistration.applicationPasscode be used for a users CONNECT-frame as well?
Affects: 4.0 RC2
Issue Links:
Referenced from: commits 4e5e700
The text was updated successfully, but these errors were encountered: