Skip to content

Security

Jump to bottom
Ralph Schaer edited this page Apr 28, 2026 · 1 revision

Security

wamp2spring integrates with Spring Security through dedicated servlet and reactive modules.

What the security modules provide

  • propagation of the current principal into WAMP message headers
  • an AuthenticationPrincipalArgumentResolver for handler methods
  • Spring Security authorization rules for inbound WAMP messages
  • destination-aware matching for procedures and topics

Artifacts

  • wamp2spring-security-servlet
  • wamp2spring-security-reactive

Both rely on the shared wamp2spring-security-core support.

Configurer base classes

Use one of these base classes to define rules:

  • AbstractSecurityWampServletConfigurer
  • AbstractSecurityWampReactiveConfigurer

Each base class adds the security context interceptor and lets you configure inbound authorization rules through configureInbound.

Example

import org.springframework.context.annotation.Configuration;

import ch.rasc.wamp2spring.security.WampMessageSecurityMetadataSourceRegistry;
import ch.rasc.wamp2spring.security.servlet.AbstractSecurityWampServletConfigurer;

@Configuration
public class WampSecurityConfiguration extends AbstractSecurityWampServletConfigurer {

  @Override
  protected void configureInbound(WampMessageSecurityMetadataSourceRegistry messages) {
    messages.callMessage("admin.shutdown").hasRole("ADMIN");
    messages.publishMessage("audit.events").hasAuthority("SCOPE_audit.write");
    messages.subscribeMessage("public.topic").permitAll();
    messages.anyMessage().authenticated();
  }

}

Matching model

Security rules can target:

  • any WAMP message
  • register messages
  • call messages
  • subscribe messages
  • publish messages
  • procedure destinations
  • topic destinations

Destination-aware matching supports the same WAMP matching semantics used by the core routing logic.

Transport principal vs WAMP authentication

If the underlying transport already has an authenticated principal, wamp2spring can propagate it into the WAMP session.

If you use WAMP authentication providers, the authenticated WAMP principal becomes part of the session metadata and is also available to security-aware processing.

For protocol-level authentication providers and handshake flow, see Authentication.

Table of Contents

Detail

Miscellaneous

Clone this wiki locally