Security
Brutusin-RPC seamless integrates with Spring security.
Configuration can be performed according to the AbstractSecurityWebApplicationInitializer without Existing Spring topic.
Programmatic security via getPrincipal() and isUserInRole(String roleName) obtained from RpcActionSupport.getInstance().
Non-authorized action executions must throw a java.lang.SecurityException.
Add the following Spring CSRF meta tags to your client pages using the Javascript API:
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>The Javascript API will make use of them as needed.
The framework uses JSR-356 Websockets, with a custom integration with Spring security with the following characteristics:
- Websocket enpoint is deployed behind spring
springSecurityFilterChain - In order to avoid CSRF attacks the following origin verification algorithm is performed (see
WebsocketEndpointConfigurator):- If the handshake request doesn't have an
Originheader skip validation - If a
org.brutusin.rpc.cors-hostenvironment variable has been configured, verifyOriginheader matches this value - Else (default case): Verify
OriginandHostheader values match
- If the handshake request doesn't have an
See rpc-demo-security-jar demo project
- Home
- Getting started
- Services
- HTTP services
- Messaging topics
- Spring
- Documenting
- Referencing source code
- Builtin components
- Configuration
- Deployment
- Client APIs
- Security
- Developer notes
- Architecture
- Examples