Silhouette + Websockets + JWT

Hi there,

We would like to use the Silhouette Websockets security documented here:

However this does not describe how a JWT token is expected to be set on the handshake request. There is a ticket here which points to a dead forum link:

It would be good if the documentation could elaborate how things are supposed to work or even show this in one of the seed apps.


Please see the configuration options of the JWTAuthenticator. The settings object has a property requestParts.

Some request parts from which a value can be extracted or None to extract values from any part of the request. Default is set to Headers only. This functionality is useful if the token should be transported into another part of the request. For a WebSocket the token must be transported in a query string as example.

Hope that clarifies how you can handle the handshake.

Best regards,

I’m just starting with Silhouette and struggling also on how to
do the websocket endpoint. I could not understand:
"…For a WebSocket the token must be transported in a query string as example."

An example of a websocket that allow logged-in users but not others would be great.
Any pointers to more info?

@smartworkingdog Have you looked at the provided example?

…For a WebSocket the token must be transported in a query string as example.

refers to

This means that from JavaScript you can only send the token in the query string, because you cannot send the token in the header.

thanks for your reply, the links you provided gave me some useful info.

I modified the very helpful seed example:

and now have in my ApplicationController:

  def index = silhouette.SecuredAction.async { implicit request =>
  def signOut = ....
  def secureSocket = WebSocket.acceptOrResult[JsValue, JsValue] { 
    case request if sameOriginCheck(request) =>
      implicit val req = Request(request, AnyContentAsEmpty)
      silhouette.SecuredRequestHandler { securedRequest =>
          Future.successful(HandlerResult(Ok, Some(securedRequest.identity)))
        }.map {
          case HandlerResult(r, Some(user)) =>
            Right(ActorFlow.actorRef(out => ClientSocket.props(user, clientList)(out, mediator, dbService, dbAccess)))
          case HandlerResult(r, None) => Left(r)

   case rejected => Future.successful { Left(Forbidden("forbidden")) }

and a test javascript client:

  var wsUri = "ws://localhost:9000/secureSocket";
  var testMsg = {"msg": "someMsg", "payload": "somePayload"};
  var output;
  function init() {
    output = document.getElementById("output");
    websocket = new WebSocket(wsUri);
    websocket.onopen = function(evt) { onOpen(evt) };
    websocket.onclose = function(evt) { onClose(evt) };
    websocket.onmessage = function(evt) { onMessage(evt) };
    websocket.onerror = function(evt) { onError(evt) };

  function onOpen(evt) {
window.addEventListener("load", init, false);  

The login etc … work well, but I don’t understand how the websocket is going to “know” which user it is dealing with. My test client connects to the websockt, but then fails and never get to my ClientSocket actor because (I think) there is no “user” to check in the request. Is there an example of how to have such websocket to allow loggedin users (through index) but not others?

I suppose the client has to send “The token”, maybe something like:

var wsUri = new WebSocket("ws://localhost:9000/secureSocket?token=value");

but where do I get this token from? and how to extract it from the request
at the server and then let Silhouette use it?


the token based providers have a configuration setting called requestParts. If you transport the token in the query string, then you must change the setting to RequestPart.QueryString.

Note that you need the Ficus enumeration reader imported, If you read the authenticator settings from the Play config file.

Best regards,