to prevent webscoket hijacking controller has check for SPRING.SESSION.ID from message headers. #1
Description
I have tried to pass the session id by setting the setSessionAttributes
create the headers.
StompHeaderAccessor headers = StompHeaderAccessor.create(StompCommand.SEND);
Map<String, Object> attributes = new HashMap<String, Object>();
attributes.put("SPRING.SESSION.ID", webSocketSession.getId());
headers.setSessionAttributes(attributes);
finaly produce GenericMessage below.
GenericMessage [payload=byte[281], headers={simpMessageType=MESSAGE, stompCommand=SEND, nativeHeaders={destination=[/app/application]}, simpSessionAttributes={SPRING.SESSION.ID=650c6384027749558e186429151d3834}, id=80dacd67-e4bd-390f-2717-01a38dcacf31, contentType=text/plain;charset=UTF-8, simpDestination=/app/application, timestamp=1522243488058}]
IMP: To send a message it should of type WebSocketMessage
WebSocketMessage one of subclass was TextMessage we convert the above generic message to TextMessage.
After convertion only the nativeHeaders are considered remaining were truncated.(this is the library implementation refer StompEncoder)
the above websocketsession was created by extending the TextWebSocketHandler used in the handshake with the websocketclient.
This is the final header reached to websocket server.
{simpMessageType=MESSAGE, stompCommand=SEND, nativeHeaders={destination=[/app/application], content-length=[281]}, simpSessionAttributes={}, simpHeartbeat=[J@7c33cdb6, lookupDestination=/application, simpSessionId=10e651e0ceeb4afc8c7b83ab6423a5f2, simpDestination=/app/application}
simpSessionAttributes is empty
please help..