dropwizard-auth-jwt icon indicating copy to clipboard operation
dropwizard-auth-jwt copied to clipboard

Published 20 hours ago verified publisher icon ToastShaman

Use JWT with Jetty Websockets?

Open situokko opened this issue 8 years ago • 3 comments

I have been using this module with good success with my REST resources, however now as I am implementing Websocket I'd like to use this same authentication there but don't know how to plug it in Changes are it might work as is.

(I tried multiple Websocket libraries but then decided to go with older org.eclipse.jetty.websocket.api classs as the JEE7-based ones were too complicated to use)

Application.run(conf, env)

env.getApplicationContext().addServlet(BroadcastServlet.class, "/ws/*")

public class BroadcastServlet extends WebSocketServlet {
    public void configure(WebSocketServletFactory factory) {
        factory.register(BroadcastSocket.class);
    }
}

public class BroadcastSocket extends WebSocketAdapter {
    public void onWebSocketConnect(Session session) {
        ...
    }
}

So question goes, should this work already just by plugging AuthFilter to that Servlet-mapping somehow or would it require some changes?

As it's a Servlet and not Jax-RS Resource, I assume that Dropwizard will not be searching for the @Auth annotation from inside the WebSocketServlet nor the WebSocketAdapter, so I bet it would require some hacking to get it working so that the @Auth objects would get injected into WebSocketAdapter?

situokko avatar May 03 '16 09:05 situokko

I don't know the exact specifics of your case, but a similar question about DW+Atmosphere was posted some time on SO ago which I answered: http://stackoverflow.com/questions/28103179/authenticate-with-atmosphere-dropwizard/28418653#28418653. It would be pretty easy to just check headers on connect and take appropriate action such as 1) just keeping unauthenticated connections open while not passing data or 2) disconnect immidately or other.

MartinSahlen avatar May 04 '16 06:05 MartinSahlen

I have managed to workaround this in org.eclipse.jetty.websocket.api.WebSocketAdapter.onWebSocketConnect() but it's sort of a hack, and needs to be done by hand for each WebSocket listener.

So instead of doing this in dropwizard-auth-jwt, Dropwizard would need to support AuthFilters for other resources than just standard servlets or Jax-RS resources. I'd want to use @Auth and @RolesAllowed for websockets the same way I can for those other resources.

I do understand that org.eclipse.jetty.websocket.api isn't really the standard API, but JSR-356 was just so complicated that it was the only reasonable library to use. Would hope that the way DW end up implementing this would work for both Jetty WS Api and JSR-356.

situokko avatar Jun 02 '16 02:06 situokko

Also I found out that it isn't actually possible to send custom headers from using Websocket Javascript API on browsers, so passing Authorization-header from browser isn't really possible, so must use query-string, cookie or Websocket-message to pass the auth token.

situokko avatar Jun 02 '16 02:06 situokko