spring security - Secured WebSocket upgrade over STOMP via SockJS fails with Invalid Upgrade header null -

spring security - Secured WebSocket upgrade over STOMP via SockJS fails with Invalid Upgrade header null -

i working on web application uses spring security , websockets. able utilize websockets without issue local machine, running spring boot app jar embedded tomcat. however, when upload same jar/project cloudfoundry or openshift (and run executable jar), protocol upgrade @ time of establishing websocket connection fails.

i made little sample project demonstrates issue (at to the lowest degree when seek on machine or cloudfoundry or openshift account). available here: https://github.com/shakuzen/spring-stomp-websocket-test

this stripped-down, bare-bones example, able consistently recreate issue. error message in logs is:

2014-10-20t00:46:36.69+0900 [app/0] out 2014-10-19 15:46:36.698 debug 32 --- [io-61088-exec-5] o.s.w.s.s.s.defaulthandshakehandler : invalid upgrade header null

the debug logs defaulthandshakehandler before show upgrade header missing. however, if @ request sent using chrome's developer tools (or browser's equivalent tool), see request different. next 2 requests sent.

1 get /hello/info http/1.1 host: sswss-test.cfapps.io connection: keep-alive authorization: basic dgvzdhvzzxi6dgvzdhbhc3m= user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/38.0.2125.104 safari/537.36 accept: */* referer: http://sswss-test.cfapps.io/message accept-encoding: gzip,deflate,sdch accept-language: en-us,en;q=0.8,ja;q=0.6 cookie: __vcap_id__=693dd6ff1b494f88a2c8567590da500dc44b4818746a45b28dd98a29b2607395; jsessionid=c5485065fe0a1dbcdf1f148a63d08fc2 dnt: 1 2 get ws://sswss-test.cfapps.io/hello/863/olm1kojs/websocket http/1.1 host: sswss-test.cfapps.io connection: upgrade pragma: no-cache cache-control: no-cache authorization: basic dgvzdhvzzxi6dgvzdhbhc3m= upgrade: websocket origin: http://sswss-test.cfapps.io sec-websocket-version: 13 user-agent: mozilla/5.0 (windows nt 6.3; wow64) applewebkit/537.36 (khtml, gecko) chrome/38.0.2125.104 safari/537.36 accept-encoding: gzip,deflate,sdch accept-language: en-us,en;q=0.8,ja;q=0.6 cookie: __vcap_id__=693dd6ff1b494f88a2c8567590da500dc44b4818746a45b28dd98a29b2607395; jsessionid=c5485065fe0a1dbcdf1f148a63d08fc2 sec-websocket-key: 7bw1pg6f9axkvfqv21k/9w== sec-websocket-extensions: permessage-deflate; client_max_window_bits

it seems taking first request's headers , failing due that. however, same 2 requests (of course of study localhost instead of sswss-test.cf.apps.io , different values security headers) sent when run on local machine , not have issue. have tried on chrome , firefox.

the github project linked using spring boot 1.2.0.m2, tested latest release version (1.1.8.release) , got same results. found in searching perhaps sockjs not handle relative urls well, tried console running connect command absolute url:

var socket2 = new sockjs('http://sswss-test.cfapps.io/hello');

but unfortunately result same.

any suggestions or solutions appreciated. sense free fork github project , mess around (openshift has free business relationship option, can deploy there free recreate issue). re-create relevant portions of project here.

websocketconfig @configuration @enablewebsocketmessagebroker public class websocketconfig extends abstractwebsocketmessagebrokerconfigurer { @override public void configuremessagebroker(messagebrokerregistry config) { config.enablesimplebroker("/queue/", "/topic/"); config.setapplicationdestinationprefixes("/app"); } @override public void registerstompendpoints(stompendpointregistry registry) { registry.addendpoint("/hello").withsockjs(); } } securityconfig

my actual application using facebook authentication, able reproduce issue basic authentication, didn't want waste more time doing additional setup , adding complexity.

@configuration @enablewebmvcsecurity public class securityconfig extends websecurityconfigureradapter { @override protected void configure(httpsecurity http) throws exception { http .httpbasic() .and() //configures url based authorization .authorizerequests() // can access urls .antmatchers("/").permitall() //the rest of our application protected. .antmatchers("/**").authenticated(); } @override protected void configure(authenticationmanagerbuilder auth) throws exception { auth .inmemoryauthentication() .withuser("testuser").password("testpass").roles("user").and() .withuser("adminuser").password("adminpass").roles("admin","user"); } }

spring-security spring-boot stomp sockjs spring-websocket