Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-09 11:53:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.4.x' into 6.5.x

Browse Source 
Closes gh-17495
This commit is contained in:
Josh Cummings 2025-07-07 12:53:59 -06:00
commit bc20bd6340
No known key found for this signature in database
GPG Key ID: 869B37A20E876129
3 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
View File

@ -301,6 +301,8 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
private static final String CLIENT_INBOUND_CHANNEL_BEAN_ID = "clientInboundChannel"; private static final String CLIENT_INBOUND_CHANNEL_BEAN_ID = "clientInboundChannel";
private static final String CSRF_CHANNEL_INTERCEPTOR_BEAN_ID = "csrfChannelInterceptor";
private static final String INTERCEPTORS_PROP = "interceptors"; private static final String INTERCEPTORS_PROP = "interceptors";
private static final String CUSTOM_ARG_RESOLVERS_PROP = "customArgumentResolvers"; private static final String CUSTOM_ARG_RESOLVERS_PROP = "customArgumentResolvers";
@ -364,8 +366,13 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
ManagedList<Object> interceptors = new ManagedList(); ManagedList<Object> interceptors = new ManagedList();
interceptors.add(new RootBeanDefinition(SecurityContextChannelInterceptor.class)); interceptors.add(new RootBeanDefinition(SecurityContextChannelInterceptor.class));
if (!this.sameOriginDisabled) { if (!this.sameOriginDisabled) {
if (!registry.containsBeanDefinition(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID)) {
interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class)); interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
} }
else {
interceptors.add(new RuntimeBeanReference(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID));
}
}
interceptors.add(registry.getBeanDefinition(this.inboundSecurityInterceptorId)); interceptors.add(registry.getBeanDefinition(this.inboundSecurityInterceptorId));
BeanDefinition inboundChannel = registry.getBeanDefinition(CLIENT_INBOUND_CHANNEL_BEAN_ID); BeanDefinition inboundChannel = registry.getBeanDefinition(CLIENT_INBOUND_CHANNEL_BEAN_ID);
PropertyValue currentInterceptorsPv = inboundChannel.getPropertyValues() PropertyValue currentInterceptorsPv = inboundChannel.getPropertyValues()

11
config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java
View File

@ -48,6 +48,7 @@ import org.springframework.messaging.handler.invocation.HandlerMethodArgumentRes
import org.springframework.messaging.simp.SimpMessageHeaderAccessor; import org.springframework.messaging.simp.SimpMessageHeaderAccessor;
import org.springframework.messaging.simp.SimpMessageType; import org.springframework.messaging.simp.SimpMessageType;
import org.springframework.messaging.support.ChannelInterceptor; import org.springframework.messaging.support.ChannelInterceptor;
import org.springframework.messaging.support.ExecutorSubscribableChannel;
import org.springframework.messaging.support.GenericMessage; import org.springframework.messaging.support.GenericMessage;
import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.expression.SecurityExpressionOperations; import org.springframework.security.access.expression.SecurityExpressionOperations;
@ -521,6 +522,16 @@ public class WebSocketMessageBrokerConfigTests {
verify(authorizationManager).check(any(), any()); verify(authorizationManager).check(any(), any());
} }
@Test
public void configureWhenCsrfChannelInterceptorBeanThenUses() {
this.spring.configLocations(xml("CustomCsrfInterceptor")).autowire();
ExecutorSubscribableChannel channel = this.spring.getContext()
.getBean("clientInboundChannel", ExecutorSubscribableChannel.class);
ChannelInterceptor interceptor = this.spring.getContext()
.getBean("csrfChannelInterceptor", ChannelInterceptor.class);
assertThat(channel.getInterceptors()).contains(interceptor);
}
private String xml(String configName) { private String xml(String configName) {
return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml"; return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
} }

34
config/src/test/resources/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests-CustomCsrfInterceptor.xml Normal file
View File

@ -0,0 +1,34 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright 2002-2018 the original author or authors.
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ https://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->
<b:beans xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
<b:import resource="classpath:org/springframework/security/config/websocket/controllers.xml"/>
<b:import resource="classpath:org/springframework/security/config/websocket/websocket.xml"/>
<b:bean id="csrfChannelInterceptor" class="org.mockito.Mockito" factory-method="mock">
<b:constructor-arg value="org.springframework.messaging.support.ChannelInterceptor" type="java.lang.Class"/>
</b:bean>
<websocket-message-broker use-authorization-manager="false">
<intercept-message pattern="/**" access="denyNile()"/>
</websocket-message-broker>
</b:beans>