Add Section on Authorization to STOMP WebSocket documentation

[jwedel]

In the Spring Framework Websockets documentation, there is a general section regarding authentication. However, there is no information about authorization. That led me to implement a custom ChannelInterceptor to do authorization based on destinations.

Then, a colleague luckily pointed me to the fact that there is a Spring Security implementation for web sockets and separate documentation, and I could throw away my code (which is good in the end).

My proposal is to add a section about authorization to the Spring Framework Websockets section that explains shortly how this is done (using AbstractSecurityWebSocketMessageBrokerConfigurer) or at least add a link to the Spring Security docs.

If this makes sense to you, I could also try to provide a PR. If you have suggestions (scope, location) for the PR, please let me know.

References:

• https://docs.spring.io/spring-framework/docs/current/reference/html/web.html#websocket
• https://docs.spring.io/spring-security/site/docs/5.0.7.RELEASE/reference/html/websocket.html

[sbrannen]

My proposal is to add a section about authorization to the Spring Framework Websockets section that explains shortly how this is done (using AbstractSecurityWebSocketMessageBrokerConfigurer) or at least add a link to the Spring Security docs.

The Authentication section already contains a NOTE about Spring Security's ChannelInterceptor and Spring Session's WebSocket integration.

So, beside the fact that those links are currently broken, I think that suffices (if we fix the links), since we generally do not like to duplicate documentation from other Spring portfolio projects.

@jwedel, have you seen the NOTE I'm referring to?

---

Update: broken links have been fixed in 709a41f.

[jwedel]

Hi @sbrannen ,

thanks for the quick reply.

honestly, I didn’t see it. I was looking for this before I implemented the ChannelInterceptor and even again before I raised that issue.

I think the note is good and fixing the link is definitely also good.

I think my problem was, that authentication worked out of the box, so I didn’t look at the “Authentication” section in the docs.

I was specifically looking for Authorization.

One suggestion would be, to rename the section to “Authentication & Authorization”. Then it’s easier for the reader to find it when looking at the table of contents.

[sbrannen]

One suggestion would be, to rename the section to “Authentication & Authorization”. Then it’s easier for the reader to find it when looking at the table of contents.

I think that's a reasonable improvement.

@rstoyanchev, are you OK with renaming that section to "Authentication and Authorization"?

[rstoyanchev]

Yes, I think it's fine to do that or even provide a separate section for Authorizaiton to make it more prominent. I'll go ahead and do that.