-
Notifications
You must be signed in to change notification settings - Fork 11
Security
Ignacio del Valle Alles edited this page Feb 19, 2016
·
13 revisions
Brutusin-RPC seamless integrates with Spring security.
Configuration can be performed according to the AbstractSecurityWebApplicationInitializer without Existing Spring topic.
Programmatic security via getPrincipal()
and isUserInRole(String roleName)
obtained HttpActionSupport.getInstance()
and WebsocketActionSupport.getInstance()
, as corresponding.
Non-authorized action executions must throw a java.lang.SecurityException
.
Add the following Spring CSRF meta tags to your client pages using the Javascript API:
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf.parameterName" content="${_csrf.parameterName}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>
The Javascript API will make use of them as needed.
The framework uses JSR-356 Websockets, with a custom implementation to integrate with Spring security with the following characteristics:
- Websocket enpoint is deployed behind spring
springSecurityFilterChain
- In order to avoid CSRF attacks the following origin verification algorithm is performed (see
WebsocketEndpointConfigurator
):- If the handshake request doesn't have an
Origin
header skip validation - If a
org.brutusin.rpc.cors-host
environment variable has been configured, verifyOrigin
header matches this value - Else (default case): Verify
Origin
andHost
header values match
- If the handshake request doesn't have an
See rpc-demo-security-jar
demo project
- Home
- Getting started
- Services
- HTTP services
- Messaging topics
- Spring
- Documenting
- Referencing source code
- Builtin components
- Configuration
- Deployment
- Client APIs
- Security
- Developer notes
- Architecture
- Examples