mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-09 11:53:30 +00:00
Merge branch '6.3.x' into 6.4.x
Closes gh-17494
This commit is contained in:
commit
8461feb028
@ -301,6 +301,8 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
|
||||
|
||||
private static final String CLIENT_INBOUND_CHANNEL_BEAN_ID = "clientInboundChannel";
|
||||
|
||||
private static final String CSRF_CHANNEL_INTERCEPTOR_BEAN_ID = "csrfChannelInterceptor";
|
||||
|
||||
private static final String INTERCEPTORS_PROP = "interceptors";
|
||||
|
||||
private static final String CUSTOM_ARG_RESOLVERS_PROP = "customArgumentResolvers";
|
||||
@ -364,7 +366,12 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
|
||||
ManagedList<Object> interceptors = new ManagedList();
|
||||
interceptors.add(new RootBeanDefinition(SecurityContextChannelInterceptor.class));
|
||||
if (!this.sameOriginDisabled) {
|
||||
interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
|
||||
if (!registry.containsBeanDefinition(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID)) {
|
||||
interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
|
||||
}
|
||||
else {
|
||||
interceptors.add(new RuntimeBeanReference(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID));
|
||||
}
|
||||
}
|
||||
interceptors.add(registry.getBeanDefinition(this.inboundSecurityInterceptorId));
|
||||
BeanDefinition inboundChannel = registry.getBeanDefinition(CLIENT_INBOUND_CHANNEL_BEAN_ID);
|
||||
|
@ -48,6 +48,7 @@ import org.springframework.messaging.handler.invocation.HandlerMethodArgumentRes
|
||||
import org.springframework.messaging.simp.SimpMessageHeaderAccessor;
|
||||
import org.springframework.messaging.simp.SimpMessageType;
|
||||
import org.springframework.messaging.support.ChannelInterceptor;
|
||||
import org.springframework.messaging.support.ExecutorSubscribableChannel;
|
||||
import org.springframework.messaging.support.GenericMessage;
|
||||
import org.springframework.security.access.AccessDeniedException;
|
||||
import org.springframework.security.access.expression.SecurityExpressionOperations;
|
||||
@ -521,6 +522,16 @@ public class WebSocketMessageBrokerConfigTests {
|
||||
verify(authorizationManager).check(any(), any());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void configureWhenCsrfChannelInterceptorBeanThenUses() {
|
||||
this.spring.configLocations(xml("CustomCsrfInterceptor")).autowire();
|
||||
ExecutorSubscribableChannel channel = this.spring.getContext()
|
||||
.getBean("clientInboundChannel", ExecutorSubscribableChannel.class);
|
||||
ChannelInterceptor interceptor = this.spring.getContext()
|
||||
.getBean("csrfChannelInterceptor", ChannelInterceptor.class);
|
||||
assertThat(channel.getInterceptors()).contains(interceptor);
|
||||
}
|
||||
|
||||
private String xml(String configName) {
|
||||
return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
|
||||
}
|
||||
|
@ -0,0 +1,34 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!--
|
||||
~ Copyright 2002-2018 the original author or authors.
|
||||
~
|
||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~ you may not use this file except in compliance with the License.
|
||||
~ You may obtain a copy of the License at
|
||||
~
|
||||
~ https://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing, software
|
||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~ See the License for the specific language governing permissions and
|
||||
~ limitations under the License.
|
||||
-->
|
||||
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns="http://www.springframework.org/schema/security"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
|
||||
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<b:import resource="classpath:org/springframework/security/config/websocket/controllers.xml"/>
|
||||
<b:import resource="classpath:org/springframework/security/config/websocket/websocket.xml"/>
|
||||
|
||||
<b:bean id="csrfChannelInterceptor" class="org.mockito.Mockito" factory-method="mock">
|
||||
<b:constructor-arg value="org.springframework.messaging.support.ChannelInterceptor" type="java.lang.Class"/>
|
||||
</b:bean>
|
||||
|
||||
<websocket-message-broker use-authorization-manager="false">
|
||||
<intercept-message pattern="/**" access="denyNile()"/>
|
||||
</websocket-message-broker>
|
||||
|
||||
</b:beans>
|
Loading…
x
Reference in New Issue
Block a user