Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
6.16.0
-
None
Description
Our application uses Spring Security for authentication and authorization. We want to push rendered components to clients via WebSocketRequestHandler.add().
The problem we are hitting is that (at least) the component rendering needs to take place in the (Spring Security) context of the user to whom the component "belongs". Effectively, next to the ThreadContext.set... calls in AbstractWebSocketProcessor.broadcastMessage(), we would like to call SecurityContextHolder.setContext(). To do that, we would need some sort of hook that is invoked before sendPayload() is called.
I am happy to provide a patch, but would rather discuss the approach first. For instance, if this hook is simply an overridable method such as AWSP.broadcastMessageToPage() in the attached proof of concept, it would be fairly invasive to use from the Wicket user's perspective. The user would have to:
- subclass the respective AbstractWebSocketProcessor server-specific subclass
- subclass the respective server-specific web filter
- in the filter, override a (newly introduced) newWebSocketProcessor() method to return the custom AbstractWebSocketProcessor subclass
Do you see a better way, or perhaps more in line with the direction you want to take Wicket's WebSocket API?