Allow WebSocket over HTTP CONNECT

rstoyanchev · rstoyanchev · commit f477c1653d2d · 2025-02-03T15:28:27.000Z
Closes gh-34044
diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/socket/server/support/HandshakeWebSocketService.java b/spring-webflux/src/main/java/org/springframework/web/reactive/socket/server/support/HandshakeWebSocketService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2023 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
@@ -66,6 +67,9 @@
  */
 public class HandshakeWebSocketService implements WebSocketService, Lifecycle {
 
+	// For WebSocket upgrades in HTTP/2 (see RFC 8441)
+	private static final HttpMethod CONNECT_METHOD = HttpMethod.valueOf("CONNECT");
+
 	private static final String SEC_WEBSOCKET_KEY = "Sec-WebSocket-Key";
 
 	private static final String SEC_WEBSOCKET_PROTOCOL = "Sec-WebSocket-Protocol";
@@ -201,9 +205,9 @@ public Mono<Void> handleRequest(ServerWebExchange exchange, WebSocketHandler han
 		HttpMethod method = request.getMethod();
 		HttpHeaders headers = request.getHeaders();
 
-		if (HttpMethod.GET != method) {
+		if (HttpMethod.GET != method && CONNECT_METHOD != method) {
 			return Mono.error(new MethodNotAllowedException(
-					request.getMethod(), Collections.singleton(HttpMethod.GET)));
+					request.getMethod(), Set.of(HttpMethod.GET, CONNECT_METHOD)));
 		}
 
 		if (!"WebSocket".equalsIgnoreCase(headers.getUpgrade())) {
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/server/support/AbstractHandshakeHandler.java b/spring-websocket/src/main/java/org/springframework/web/socket/server/support/AbstractHandshakeHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,6 +25,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Set;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -77,6 +78,9 @@
  */
 public abstract class AbstractHandshakeHandler implements HandshakeHandler, Lifecycle {
 
+	// For WebSocket upgrades in HTTP/2 (see RFC 8441)
+	private static final HttpMethod CONNECT_METHOD = HttpMethod.valueOf("CONNECT");
+
 	private static final boolean tomcatWsPresent;
 
 	private static final boolean jettyWsPresent;
@@ -210,11 +214,12 @@ public final boolean doHandshake(ServerHttpRequest request, ServerHttpResponse r
 			logger.trace("Processing request " + request.getURI() + " with headers=" + headers);
 		}
 		try {
-			if (HttpMethod.GET != request.getMethod()) {
+			HttpMethod httpMethod = request.getMethod();
+			if (HttpMethod.GET != httpMethod && CONNECT_METHOD != httpMethod) {
 				response.setStatusCode(HttpStatus.METHOD_NOT_ALLOWED);
-				response.getHeaders().setAllow(Collections.singleton(HttpMethod.GET));
+				response.getHeaders().setAllow(Set.of(HttpMethod.GET, CONNECT_METHOD));
 				if (logger.isErrorEnabled()) {
-					logger.error("Handshake failed due to unexpected HTTP method: " + request.getMethod());
+					logger.error("Handshake failed due to unexpected HTTP method: " + httpMethod);
 				}
 				return false;
 			}
