Security
Brutusin-RPC seamless integrates with Spring security.
Configuration can be performed according to the AbstractSecurityWebApplicationInitializer without Existing Spring topic.
Programmatic security via getPrincipal() and isUserInRole(String roleName) obtained HttpActionSupport.getInstance() and WebsocketActionSupport.getInstance(), as corresponding.
Non-authorized action executions must throw a java.lang.SecurityException.
The framework uses JSR-356 Websockets, with a custom implementation to integrate with Spring security with the following characteristics:
- Websocket enpoint is deployed behind spring
springSecurityFilterChain - In order to avoid CSRF attacks the following origin verification algorithm is performed (see
WebsocketEndpointConfigurator):- If the handshake request doesn't have an
Originheader skip validation - If a
accessControlOriginHostenvironment variable has been configured, verifyOriginheader matches this value - Else (default case): Verify
OriginandHostheader values match
- If the handshake request doesn't have an
See rpc-demo-security-jar demo project
- Home
- Getting started
- Services
- HTTP services
- Messaging topics
- Spring
- Documenting
- Referencing source code
- Builtin components
- Configuration
- Deployment
- Client APIs
- Security
- Developer notes
- Architecture
- Examples