WebSocket Stomp over SockJS - http custom headers

Question

I'm using stomp.js over SockJS in my javascript client. I'm connecting to websocket using

stompClient.connect({}, function (frame) {

stomp over sockJS connection has 2 http requests:

request to /info
http upgrade request

the client sends all cookies. I would like to also send custom headers (e.g. XSRF header) but didn't find a way to do that. Will appreciate any help.

Looks like it is not possible to pass custom HTTP headers to the WebSocket handshake requests. — user1116377, Sep 02 '14 at 06:29
It's possible, but i don't know how to do it with stomp client. — Ruslan, Mar 24 '15 at 13:06
Have you solved your problem? I'm experiencing a similar problem and I'd like to hear your solution, if you have one. — small_ticket, Dec 04 '15 at 14:06

score 9 · Answer 1 · answered Mar 31 '15 at 23:34

9

@Rohitdev So basically you can't send any HTTP headers using stompClient, because STOMP is layer over websockets, and only when websockets handshake happen we have possibility to send custom headers. So only SockJS can send this headers, but for some reasons don't do this: https://github.com/sockjs/sockjs-client/issues/196

answered Mar 31 '15 at 23:34

Ruslan

11,984
8
38
63

Using cookies for authorisation in this scenario will result in granting full access to SockJS communication with your website from any website. This is a classic CSRF attack. (c) https://github.com/sockjs/sockjs-node#authorisation – Andrii Plotnikov Apr 07 '17 at 11:27

score 8 · Answer 2 · edited Apr 27 '18 at 07:23

Custom headers:

stompClient.connect({token: "ABC123"}, function(frame) { ... code ...});

Without Custom headers:

stompClient.connect({}, function(frame) { ... code ...});

In Javascript, you can extract an STOMP header using:

  username = frame.headers['user-name'];

In the server side, if you are using Spring Framework you can implementa an Interceptor to copy the HTTP parmeters to WebSockets STOMP headers.

public class HttpSessionHandshakeInterceptor_personalised implements HandshakeInterceptor {

    @Override
    public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response,
            WebSocketHandler wsHandler, Map<String, Object> attributes) throws Exception {


        // Set ip attribute to WebSocket session
        attributes.put("ip", request.getRemoteAddress());

        // ============================================= CODIGO PERSONAL
        ServletServerHttpRequest servletRequest = (ServletServerHttpRequest) request;
        HttpServletRequest httpServletRequest = servletRequest.getServletRequest();
//        httpServletRequest.getCookies();
//        httpServletRequest.getParameter("inquiryId");
//        httpServletRequest.getRemoteUser();

         String token = httpServletRequest.getParameter("token");


      ...
    }
}

And for send messages without STOMP parameters:

function sendMessage() {
     var from = document.getElementById('from').value;
     var text = document.getElementById('text').value;
            stompClient.send("/app/chatchannel", {},
               JSON.stringify({'from':from, 'text':text}));
}

and here you are passing parameters into the STOMP headers.

function sendMessage() {
     var from = document.getElementById('from').value;
     var text = document.getElementById('text').value;
            stompClient.send("/app/chatchannel", {'token':'AA123'},
               JSON.stringify({'from':from, 'text':text}));
}

first of all it does not work in spring part. second: see @IRus answer for why — Andrii Plotnikov, Apr 07 '17 at 11:28
But I can send parameters with SockJs, is workig with my implementation. — Sergio, Aug 31 '17 at 18:10
I don't see the header no matter how many times I cast the ServerHttpRequest — nurettin, Jan 03 '19 at 11:03
I confirm, the spring part does not work, there is no "token" parameter available — Migs, Feb 14 '20 at 08:42

score 0 · Answer 3 · answered Jun 13 '20 at 06:28

Use @Header(name = "token") annotation inside the method if you are using Spring boot at the server.

Usage -

@Controller
public class SocketController {

    static final String token = "1234";

    @MessageMapping("/send")
    @SendTo("/receive/changes")
    public Object notify(MessageModel message, @Header(name = "token") String header)throws Exception {
        if(!header.equals(token)) {
            // return when headers do not match
            return("Unauthorized");
        }
        // return the model object with associated sent message
        return new MessageModel(message.getMessage());
    } 
}

You should have a MessageModel class with message variable and required getters, setters and contructor.

In frontend use Stomp

Usage -

function sendMessage() {
     var text = document.getElementById('text').value;
            stompClient.send("/send/message", {'token':'1234'},
               JSON.stringify({'message':text}));
}

To add more security you an use CORS in Spring

WebSocket Stomp over SockJS - http custom headers

3 Answers3

Linked