diff --git a/config/src/main/java/org/springframework/security/config/Elements.java b/config/src/main/java/org/springframework/security/config/Elements.java
index 99ee4fd199..99bd1511b1 100644
--- a/config/src/main/java/org/springframework/security/config/Elements.java
+++ b/config/src/main/java/org/springframework/security/config/Elements.java
@@ -55,6 +55,6 @@ public abstract class Elements {
public static final String HEADERS = "headers";
public static final String CSRF = "csrf";
- public static final String MESSAGES = "messages";
- public static final String INTERCEPT_MESSAGE = "message-interceptor";
+ public static final String WEBSOCKET_MESSAGE_BROKER = "websocket-message-broker";
+ public static final String INTERCEPT_MESSAGE = "intercept-message";
}
diff --git a/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java b/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java
index a409339c79..da3a5c8105 100644
--- a/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java
+++ b/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java
@@ -38,10 +38,10 @@ import org.springframework.security.config.http.HttpSecurityBeanDefinitionParser
import org.springframework.security.config.ldap.LdapProviderBeanDefinitionParser;
import org.springframework.security.config.ldap.LdapServerBeanDefinitionParser;
import org.springframework.security.config.ldap.LdapUserServiceBeanDefinitionParser;
-import org.springframework.security.config.message.MessageSecurityBeanDefinitionParser;
import org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser;
import org.springframework.security.config.method.InterceptMethodsBeanDefinitionDecorator;
import org.springframework.security.config.method.MethodSecurityMetadataSourceBeanDefinitionParser;
+import org.springframework.security.config.websocket.WebSocketMessageBrokerSecurityBeanDefinitionParser;
import org.springframework.security.core.SpringSecurityCoreVersion;
import org.springframework.util.ClassUtils;
import org.w3c.dom.Element;
@@ -179,7 +179,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
}
if(ClassUtils.isPresent(MESSAGE_CLASSNAME, getClass().getClassLoader())) {
- parsers.put(Elements.MESSAGES, new MessageSecurityBeanDefinitionParser());
+ parsers.put(Elements.WEBSOCKET_MESSAGE_BROKER, new WebSocketMessageBrokerSecurityBeanDefinitionParser());
}
}
diff --git a/config/src/main/java/org/springframework/security/config/message/MessageSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
similarity index 92%
rename from config/src/main/java/org/springframework/security/config/message/MessageSecurityBeanDefinitionParser.java
rename to config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
index b4a4625d52..6b820bbd3b 100644
--- a/config/src/main/java/org/springframework/security/config/message/MessageSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
@@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-package org.springframework.security.config.message;
+package org.springframework.security.config.websocket;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -42,13 +42,13 @@ import org.w3c.dom.Element;
import java.util.List;
/**
- * Parses Spring Security's message namespace support. A simple example is:
+ * Parses Spring Security's websocket namespace support. A simple example is:
*
*
- * <messages>
- * <message-interceptor pattern='/permitAll' access='permitAll' />
- * <message-interceptor pattern='/denyAll' access='denyAll' />
- * </messages>
+ * <websocket-message-broker>
+ * <intercept-message pattern='/permitAll' access='permitAll' />
+ * <intercept-message pattern='/denyAll' access='denyAll' />
+ * </websocket-message-broker>
*
*
*
@@ -63,10 +63,10 @@ import java.util.List;
*
*
*
- * <messages id="channelSecurityInterceptor">
- * <message-interceptor pattern='/permitAll' access='permitAll' />
- * <message-interceptor pattern='/denyAll' access='denyAll' />
- * </messages>
+ * <websocket-message-broker id="channelSecurityInterceptor">
+ * <intercept-message pattern='/permitAll' access='permitAll' />
+ * <intercept-message pattern='/denyAll' access='denyAll' />
+ * </websocket-message-broker>
*
*
*
@@ -78,8 +78,8 @@ import java.util.List;
* @author Rob Winch
* @since 4.0
*/
-public final class MessageSecurityBeanDefinitionParser implements BeanDefinitionParser {
- private static final Log logger = LogFactory.getLog(MessageSecurityBeanDefinitionParser.class);
+public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements BeanDefinitionParser {
+ private static final Log logger = LogFactory.getLog(WebSocketMessageBrokerSecurityBeanDefinitionParser.class);
private static final String ID_ATTR = "id";
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
index 2b1ce65ece..6546af2f5a 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc
@@ -272,22 +272,22 @@ protect-pointcut.attlist &=
## Access configuration attributes list that applies to all methods matching the pointcut, e.g. "ROLE_A,ROLE_B"
attribute access {xsd:token}
-messages =
+websocket-message-broker =
## Allows securing a Message Broker. There are two modes. If no id is specified: ensures that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver; ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel; and that a ChannelSecurityInterceptor is registered with the clientInboundChannel. If the id is specified, creates a ChannelSecurityInterceptor that can be manually registered with the clientInboundChannel.
- element messages { messages.attrlist, (message-interceptor*) }
+ element websocket-message-broker { websocket-message-broker.attrlist, (intercept-message*) }
-messages.attrlist &=
+websocket-message-broker.attrlist &=
## A bean identifier, used for referring to the bean elsewhere in the context. If specified, explicit configuration within clientInboundChannel is required. If not specified, ensures that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver; ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel; and that a ChannelSecurityInterceptor is registered with the clientInboundChannel.
attribute id {xsd:token}?
-message-interceptor =
- ## Creates an authorization rule for a message.
- element message-interceptor {message-interceptor.attrlist}
+intercept-message =
+ ## Creates an authorization rule for a websocket message.
+ element intercept-message {intercept-message.attrlist}
-message-interceptor.attrlist &=
+intercept-message.attrlist &=
## The destination ant pattern which will be mapped to the access attribute. For example, /** matches any message with a destination, /admin/** matches any message that has a destination that starts with admin.
attribute pattern {xsd:token}?
-message-interceptor.attrlist &=
+intercept-message.attrlist &=
## The access configuration attributes that apply for the configured message. For example, permitAll grants access to anyone, hasRole('ROLE_ADMIN') requires the user have the role 'ROLE_ADMIN'.
attribute access {xsd:token}?
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
index e0a8e79fde..22988b0743 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd
@@ -839,7 +839,7 @@
-
+
Allows securing a Message Broker. There are two modes. If no id is specified: ensures that
any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver
@@ -852,12 +852,12 @@
-
+
-
+
-
+
A bean identifier, used for referring to the bean elsewhere in the context. If specified,
@@ -871,16 +871,16 @@
-
+
- Creates an authorization rule for a message.
+ Creates an authorization rule for a websocket message.
-
+
-
+
The destination ant pattern which will be mapped to the access attribute. For example, /**
diff --git a/config/src/test/groovy/org/springframework/security/config/doc/XsdDocumentedTests.groovy b/config/src/test/groovy/org/springframework/security/config/doc/XsdDocumentedTests.groovy
index cb5171566a..c0c8f70c64 100644
--- a/config/src/test/groovy/org/springframework/security/config/doc/XsdDocumentedTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/doc/XsdDocumentedTests.groovy
@@ -29,7 +29,7 @@ import spock.lang.*
*/
class XsdDocumentedTests extends Specification {
- def ignoredIds = ['nsa-any-user-service','nsa-any-user-service-parents','nsa-authentication','nsa-message-security','nsa-ldap','nsa-method-security','nsa-web']
+ def ignoredIds = ['nsa-any-user-service','nsa-any-user-service-parents','nsa-authentication','nsa-websocket-security','nsa-ldap','nsa-method-security','nsa-web']
@Shared def reference = new File('../docs/manual/src/docs/asciidoc/index.adoc')
@Shared File schema31xDocument = new File('src/main/resources/org/springframework/security/config/spring-security-3.1.xsd')
diff --git a/config/src/test/groovy/org/springframework/security/config/message/MessagesConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.groovy
similarity index 87%
rename from config/src/test/groovy/org/springframework/security/config/message/MessagesConfigTests.groovy
rename to config/src/test/groovy/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.groovy
index 991c01457b..f29808ffe9 100644
--- a/config/src/test/groovy/org/springframework/security/config/message/MessagesConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.groovy
@@ -1,4 +1,4 @@
-package org.springframework.security.config.message
+package org.springframework.security.config.websocket
import org.springframework.beans.BeansException
import org.springframework.beans.factory.config.BeanDefinition
@@ -47,7 +47,7 @@ import org.springframework.security.core.context.SecurityContextHolder
*
* @author Rob Winch
*/
-class MessagesConfigTests extends AbstractXmlConfigTests {
+class WebSocketMessageBrokerConfigTests extends AbstractXmlConfigTests {
Authentication messageUser = new TestingAuthenticationToken('user','pass','ROLE_USER')
boolean useSockJS = false
@@ -55,11 +55,11 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
SecurityContextHolder.clearContext()
}
- def 'messages with no id automatically integrates with clientInboundChannel'() {
+ def 'websocket with no id automatically integrates with clientInboundChannel'() {
setup:
- messages {
- 'message-interceptor'(pattern:'/permitAll',access:'permitAll')
- 'message-interceptor'(pattern:'/denyAll',access:'denyAll')
+ websocket {
+ 'intercept-message'(pattern:'/permitAll',access:'permitAll')
+ 'intercept-message'(pattern:'/denyAll',access:'denyAll')
}
@@ -76,9 +76,9 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
def 'anonymous authentication supported'() {
setup:
- messages {
- 'message-interceptor'(pattern:'/permitAll',access:'permitAll')
- 'message-interceptor'(pattern:'/denyAll',access:'denyAll')
+ websocket {
+ 'intercept-message'(pattern:'/permitAll',access:'permitAll')
+ 'intercept-message'(pattern:'/denyAll',access:'denyAll')
}
messageUser = null
@@ -94,8 +94,8 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
def id = 'authenticationController'
bean(id,MyController)
bean('inPostProcessor',InboundExecutorPostProcessor)
- messages {
- 'message-interceptor'(pattern:'/**',access:'permitAll')
+ websocket {
+ 'intercept-message'(pattern:'/**',access:'permitAll')
}
when: 'message is sent to the authentication endpoint'
@@ -111,8 +111,8 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
def id = 'authenticationController'
bean(id,MyController)
bean('inPostProcessor',InboundExecutorPostProcessor)
- messages {
- 'message-interceptor'(pattern:'/**',access:'permitAll')
+ websocket {
+ 'intercept-message'(pattern:'/**',access:'permitAll')
}
SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT)
@@ -142,8 +142,8 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
def id = 'authenticationController'
bean(id,MyController)
bean('inPostProcessor',InboundExecutorPostProcessor)
- messages {
- 'message-interceptor'(pattern:'/**',access:'permitAll')
+ websocket {
+ 'intercept-message'(pattern:'/**',access:'permitAll')
}
SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT)
@@ -175,11 +175,11 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
def id = 'authenticationController'
bean(id,MyController)
bean('inPostProcessor',InboundExecutorPostProcessor)
- messages {
- 'message-interceptor'(pattern:'/**',access:'permitAll')
+ websocket {
+ 'intercept-message'(pattern:'/**',access:'permitAll')
}
- when: 'message of type CONNECTION is sent without CsrfTOken'
+ when: 'websocket of type CONNECTION is sent without CsrfTOken'
SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT)
Message message = message(headers,'/authentication')
clientInboundChannel.send(message)
@@ -189,7 +189,7 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
expected.cause instanceof MissingCsrfTokenException
}
- def 'messages with no id does not override customArgumentResolvers'() {
+ def 'websocket with no id does not override customArgumentResolvers'() {
setup:
def id = 'authenticationController'
bean(id,MyController)
@@ -205,11 +205,11 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
'b:ref'(bean:'mcar')
}
}
- messages {
- 'message-interceptor'(pattern:'/**',access:'permitAll')
+ websocket {
+ 'intercept-message'(pattern:'/**',access:'permitAll')
}
- when: 'message is sent to the myCustom endpoint'
+ when: 'websocket is sent to the myCustom endpoint'
clientInboundChannel.send(message('/myCustom'))
then: 'myCustomArgument is resolved'
@@ -217,10 +217,10 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
controller.myCustomArgument!= null
}
- def 'messages with id does not integrate with clientInboundChannel'() {
+ def 'websocket with id does not integrate with clientInboundChannel'() {
setup:
- messages([id:'inCsi']) {
- 'message-interceptor'(pattern:'/**',access:'denyAll')
+ websocket([id:'inCsi']) {
+ 'intercept-message'(pattern:'/**',access:'denyAll')
}
when:
@@ -231,8 +231,8 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
}
- def 'messages with id can be explicitly integrated with clientInboundChannel'() {
- setup: 'message security explicitly setup'
+ def 'websocket with id can be explicitly integrated with clientInboundChannel'() {
+ setup: 'websocket security explicitly setup'
xml.'websocket:message-broker' {
'websocket:transport' {}
'websocket:stomp-endpoint'(path:'/app') {
@@ -246,8 +246,8 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
}
}
}
- xml.messages(id:'inCsi') {
- 'message-interceptor'(pattern:'/**',access:'denyAll')
+ xml.'websocket-message-broker'(id:'inCsi') {
+ 'intercept-message'(pattern:'/**',access:'denyAll')
}
createAppContext()
@@ -276,9 +276,9 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
}
}
}
- xml.messages {
- 'message-interceptor'(pattern:'/denyAll',access:'denyAll')
- 'message-interceptor'(pattern:'/permitAll',access:'permitAll')
+ xml.'websocket-message-broker' {
+ 'intercept-message'(pattern:'/denyAll',access:'denyAll')
+ 'intercept-message'(pattern:'/permitAll',access:'permitAll')
}
createAppContext()
ChannelInterceptor mci = appContext.getBean('mci')
@@ -291,7 +291,7 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
}
- def messages(Map attrs=[:], Closure c) {
+ def websocket(Map attrs=[:], Closure c) {
bean('testHandler', TestHandshakeHandler)
xml.'websocket:message-broker' {
'websocket:transport' {}
@@ -306,7 +306,7 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
}
'websocket:simple-broker'(prefix:"/queue, /topic"){}
}
- xml.messages(attrs, c)
+ xml.'websocket-message-broker'(attrs, c)
createAppContext()
}
diff --git a/config/src/test/java/org/springframework/security/config/SecurityNamespaceHandlerTests.java b/config/src/test/java/org/springframework/security/config/SecurityNamespaceHandlerTests.java
index e9da3c1d66..6dbddd7f51 100644
--- a/config/src/test/java/org/springframework/security/config/SecurityNamespaceHandlerTests.java
+++ b/config/src/test/java/org/springframework/security/config/SecurityNamespaceHandlerTests.java
@@ -127,12 +127,12 @@ public class SecurityNamespaceHandlerTests {
@Test
- public void messageNotFoundExceptionNoMessageBlock() throws Exception {
+ public void websocketNotFoundExceptionNoMessageBlock() throws Exception {
String className = FILTER_CHAIN_PROXY_CLASSNAME;
spy(ClassUtils.class);
doThrow(new ClassNotFoundException(className)).when(ClassUtils.class,"forName",eq(Message.class.getName()),any(ClassLoader.class));
new InMemoryXmlApplicationContext(
XML_AUTHENTICATION_MANAGER);
- // should load just fine since no message block
+ // should load just fine since no websocket block
}
}
diff --git a/docs/manual/src/docs/asciidoc/index.adoc b/docs/manual/src/docs/asciidoc/index.adoc
index 7e5b8306cb..f2634f2f83 100644
--- a/docs/manual/src/docs/asciidoc/index.adoc
+++ b/docs/manual/src/docs/asciidoc/index.adoc
@@ -7790,15 +7790,15 @@ Enables the use of expressions in the 'access' attributes in ele
* <>
-[[nsa-message-security]]
-=== Message/WebSocket Security
+[[nsa-websocket-security]]
+=== WebSocket Security
Spring Security 4.0+ provides support for authorizing messages. One concrete example of where this is useful is to provide authorization in WebSocket based applications.
-[[nsa-messages]]
-====
+[[nsa-websocket-message-broker]]
+====
-The messages attribute has two different modes. If the <> is not specified, then it will do the following things:
+The websocket-message-broker element has two different modes. If the <> is not specified, then it will do the following things:
* Ensure that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver. This allows the use of `@AuthenticationPrincipal` to resolve the principal of the current `Authentication`
* Ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel. This populates the SecurityContextHolder with the user that is found in the Message
@@ -7809,38 +7809,38 @@ The messages attribute has two different modes. If the <> is no
If additional control is necessary, the id can be specified and a ChannelSecurityInterceptor will be assigned to the specified id. All the wiring with Spring's messaging infrastructure can then be done manually. This is more cumbersome, but provides greater control over the configuration.
-[[nsa-messages-attributes]]
-===== Attributes
+[[nsa-websocket-message-broker-attributes]]
+===== Attributes
-[[nsa-messages-id]]
-* **id** A bean identifier, used for referring to the ChannelSecurityInterceptor bean elsewhere in the context. If specified, Spring Security requires explicit configuration within Spring Messaging. If not specified, Spring Security will automatically integrate with the messaging infrastructure as described in <>
+[[nsa-websocket-message-broker-id]]
+* **id** A bean identifier, used for referring to the ChannelSecurityInterceptor bean elsewhere in the context. If specified, Spring Security requires explicit configuration within Spring Messaging. If not specified, Spring Security will automatically integrate with the messaging infrastructure as described in <>
-[[nsa-messages-children]]
-===== Child Elements of
+[[nsa-websocket-message-broker-children]]
+===== Child Elements of
-* <>
+* <>
-[[nsa-message-interceptor]]
-====
+[[nsa-intercept-message]]
+====
Defines an authorization rule for a message.
-[[nsa-message-interceptor-parents]]
-===== Parent Elements of
+[[nsa-intercept-message-parents]]
+===== Parent Elements of
-* <>
+* <>
-[[nsa-message-interceptor-attributes]]
-===== Attributes
+[[nsa-intercept-message-attributes]]
+===== Attributes
-[[nsa-message-interceptor-pattern]]
+[[nsa-intercept-message-pattern]]
* **pattern** An ant based pattern that matches on the Message destination. For example, "/**" matches any Message with a destination; "/admin/**" matches any Message that has a destination that starts with "/admin/**".
-[[nsa-message-interceptor-access]]
+[[nsa-intercept-message-access]]
* **access** The expression used to secure the Message. For example, "denyAll" will deny access to all of the matching Messages; "permitAll" will grant access to all of the matching Messages; "hasRole('ADMIN') requires the current user to have the role 'ROLE_ADMIN' for the matching Messages.
[[nsa-authentication]]
diff --git a/messaging/src/test/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptorTests.java b/messaging/src/test/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptorTests.java
index 01973d43fa..61218aff27 100644
--- a/messaging/src/test/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptorTests.java
+++ b/messaging/src/test/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptorTests.java
@@ -197,7 +197,7 @@ public class SecurityContextChannelInterceptorTests {
}
/**
- * If a user sends a message when processing another message
+ * If a user sends a websocket when processing another websocket
*
* @throws Exception
*/
@@ -213,7 +213,7 @@ public class SecurityContextChannelInterceptorTests {
assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(authentication);
- // start send message
+ // start send websocket
messageBuilder.setHeader(SimpMessageHeaderAccessor.USER_HEADER, null);
interceptor.beforeHandle(messageBuilder.build(), channel, handler);
@@ -222,7 +222,7 @@ public class SecurityContextChannelInterceptorTests {
interceptor.afterMessageHandled(messageBuilder.build(), channel, handler, null);
assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(authentication);
- // end send message
+ // end send websocket
interceptor.afterMessageHandled(messageBuilder.build(), channel, handler, null);