Securing WebSockets
So far, we have secured the chat service and the images service.
Or have we?
Well, we configured chat as the Gateway API for our microservices using Spring Cloud Gateway. To do that, we made it the sole source of HTTP session creation. Given that the session details were also included in forwarded web requests, our Gateway API is nicely buttoned up.
However, the chat microservice's critical function is brokering WebSocket messages. And we haven't lifted a finger to secure that component. Time to roll up our sleeves and get to work.
Since our WebSocket handlers are stream oriented, we merely need to slip in a parent class that authorizes things when the WebSocket session is configured, as follows:
abstract class AuthorizedWebSocketHandler
implements WebSocketHandler {
@Override
public final Mono<Void> handle(WebSocketSession session) {
return session.getHandshakeInfo().getPrincipal()
.filter(this::isAuthorized)
...
