From a90b386b1c9712f267a0d19b980e858d64f05a5a Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Sun, 11 Feb 2018 19:08:47 +0100
Subject: [PATCH] Catch unauthenticated WebSocket messages

---
 .../websocket/WebsocketAuthenticationAspect.java  | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/websocket/WebsocketAuthenticationAspect.java b/src/main/java/de/thm/arsnova/websocket/WebsocketAuthenticationAspect.java
index 6f86f6056..e258be2f0 100644
--- a/src/main/java/de/thm/arsnova/websocket/WebsocketAuthenticationAspect.java
+++ b/src/main/java/de/thm/arsnova/websocket/WebsocketAuthenticationAspect.java
@@ -28,6 +28,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Configurable;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -58,14 +59,20 @@ public class WebsocketAuthenticationAspect {
 			final SocketIOClient client, final T message) throws Throwable {
 		logger.debug("Executing WebsocketAuthenticationAspect for onData event: Session Id: {}, Message Class: {}",
 				client.getSessionId(), message.getClass());
-		populateSecurityContext(client.getSessionId());
-		pjp.proceed();
-		clearSecurityContext();
+		try {
+			populateSecurityContext(client.getSessionId());
+			pjp.proceed();
+		} finally {
+			clearSecurityContext();
+		}
 	}
 
 	private void populateSecurityContext(final UUID socketId) {
-		SecurityContext context = SecurityContextHolder.getContext();
 		UserAuthentication userAuth = userService.getUserToSocketId(socketId);
+		if (userAuth == null) {
+			throw new AccessDeniedException("No user authenticated for WebSocket connection");
+		}
+		SecurityContext context = SecurityContextHolder.getContext();
 		Set<GrantedAuthority> authorities = new HashSet<>();
 		authorities.add(WEBSOCKET_AUTHORITY);
 		User user = new User(userAuth, authorities);
-- 
GitLab