Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-24 11:13:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Default to XorCsrfChannelInterceptor in XML

Browse Source 
Change WebSocketMessageBrokerSecurityBeanDefinitionParser to use
XorCsrfChannelInterceptor by default, so WebSocket XML configuration
matches the default Xor-based configuration already in
WebSocketMessageBrokerSecurityConfiguration.

Closes gh-17260

Signed-off-by: Matt Magoffin <matt@solarnetwork.net>
This commit is contained in:
Matt Magoffin 2025-06-21 07:20:46 +12:00 committed by Josh Cummings
parent a9636c72d1
commit 62252c1232
No known key found for this signature in database
GPG Key ID: 869B37A20E876129
2 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
View File

@ -70,7 +70,7 @@ import org.springframework.security.messaging.context.SecurityContextChannelInte
import org.springframework.security.messaging.util.matcher.MessageMatcher;
import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
import org.springframework.security.messaging.util.matcher.SimpMessageTypeMatcher;
import org.springframework.security.messaging.web.csrf.CsrfChannelInterceptor;
import org.springframework.security.messaging.web.csrf.XorCsrfChannelInterceptor;
import org.springframework.security.messaging.web.socket.server.CsrfTokenHandshakeInterceptor;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.Assert;
@ -368,7 +368,7 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
interceptors.add(new RootBeanDefinition(SecurityContextChannelInterceptor.class));
if (!this.sameOriginDisabled) {
if (!registry.containsBeanDefinition(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID)) {
interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
interceptors.add(new RootBeanDefinition(XorCsrfChannelInterceptor.class));
}
else {
interceptors.add(new RuntimeBeanReference(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID));

12
config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java
View File

@ -20,6 +20,7 @@ import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Supplier;
@ -98,6 +99,13 @@ public class WebSocketMessageBrokerConfigTests {
private static final String CONFIG_LOCATION_PREFIX = "classpath:org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests";
/*
* Token format: "token" length random pad bytes + "token" (each byte UTF8 ^= 1).
*/
private static final byte[] XOR_CSRF_TOKEN_BYTES = new byte[] { 1, 1, 1, 1, 1, 117, 110, 106, 100, 111 };
private static final String XOR_CSRF_TOKEN_VALUE = Base64.getEncoder().encodeToString(XOR_CSRF_TOKEN_BYTES);
public final SpringTestContext spring = new SpringTestContext(this);
@Autowired(required = false)
@ -126,7 +134,7 @@ public class WebSocketMessageBrokerConfigTests {
public void sendWhenAnonymousMessageWithConnectMessageTypeThenPermitted() {
this.spring.configLocations(xml("NoIdConfig")).autowire();
SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT);
headers.setNativeHeader(this.token.getHeaderName(), this.token.getToken());
headers.setNativeHeader(this.token.getHeaderName(), XOR_CSRF_TOKEN_VALUE);
this.clientInboundChannel.send(message("/permitAll", headers));
}
@ -198,7 +206,7 @@ public class WebSocketMessageBrokerConfigTests {
public void sendWhenAnonymousMessageWithConnectMessageTypeThenAuthorizationManagerPermits() {
this.spring.configLocations(xml("NoIdAuthorizationManager")).autowire();
SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT);
headers.setNativeHeader(this.token.getHeaderName(), this.token.getToken());
headers.setNativeHeader(this.token.getHeaderName(), XOR_CSRF_TOKEN_VALUE);
this.clientInboundChannel.send(message("/permitAll", headers));
}