Skip to content

Commit 8e7101d

Browse files
msqrmsqr
committed
Default to XorCsrfChannelInterceptor in XML configuration
Change WebSocketMessageBrokerSecurityBeanDefinitionParser to use XorCsrfChannelInterceptor by default, so WebSocket XML configuration matches the default Xor-based configuration already in WebSocketMessageBrokerSecurityConfiguration. Issue gh-17260 Signed-off-by: Matt Magoffin <[email protected]>
1 parent d8043dc commit 8e7101d

File tree

2 files changed

+12
-4
lines changed

2 files changed

+12
-4
lines changed

config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@
7070
import org.springframework.security.messaging.util.matcher.MessageMatcher;
7171
import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
7272
import org.springframework.security.messaging.util.matcher.SimpMessageTypeMatcher;
73-
import org.springframework.security.messaging.web.csrf.CsrfChannelInterceptor;
73+
import org.springframework.security.messaging.web.csrf.XorCsrfChannelInterceptor;
7474
import org.springframework.security.messaging.web.socket.server.CsrfTokenHandshakeInterceptor;
7575
import org.springframework.util.AntPathMatcher;
7676
import org.springframework.util.Assert;
@@ -365,7 +365,7 @@ else if (CSRF_HANDSHAKE_HANDLER_CLASSES.contains(beanClassName)) {
365365
ManagedList<Object> interceptors = new ManagedList();
366366
interceptors.add(new RootBeanDefinition(SecurityContextChannelInterceptor.class));
367367
if (!this.sameOriginDisabled) {
368-
interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
368+
interceptors.add(new RootBeanDefinition(XorCsrfChannelInterceptor.class));
369369
}
370370
interceptors.add(registry.getBeanDefinition(this.inboundSecurityInterceptorId));
371371
BeanDefinition inboundChannel = registry.getBeanDefinition(CLIENT_INBOUND_CHANNEL_BEAN_ID);

config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
import java.lang.annotation.Retention;
2121
import java.lang.annotation.RetentionPolicy;
2222
import java.lang.annotation.Target;
23+
import java.util.Base64;
2324
import java.util.HashMap;
2425
import java.util.Map;
2526
import java.util.function.Supplier;
@@ -97,6 +98,13 @@ public class WebSocketMessageBrokerConfigTests {
9798

9899
private static final String CONFIG_LOCATION_PREFIX = "classpath:org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests";
99100

101+
/*
102+
* Token format: "token" length random pad bytes + "token" (each byte UTF8 ^= 1).
103+
*/
104+
private static final byte[] XOR_CSRF_TOKEN_BYTES = new byte[] { 1, 1, 1, 1, 1, 117, 110, 106, 100, 111 };
105+
106+
private static final String XOR_CSRF_TOKEN_VALUE = Base64.getEncoder().encodeToString(XOR_CSRF_TOKEN_BYTES);
107+
100108
public final SpringTestContext spring = new SpringTestContext(this);
101109

102110
@Autowired(required = false)
@@ -125,7 +133,7 @@ public void sendWhenNoIdSpecifiedThenIntegratesWithClientInboundChannel() {
125133
public void sendWhenAnonymousMessageWithConnectMessageTypeThenPermitted() {
126134
this.spring.configLocations(xml("NoIdConfig")).autowire();
127135
SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT);
128-
headers.setNativeHeader(this.token.getHeaderName(), this.token.getToken());
136+
headers.setNativeHeader(this.token.getHeaderName(), XOR_CSRF_TOKEN_VALUE);
129137
this.clientInboundChannel.send(message("/permitAll", headers));
130138
}
131139

@@ -197,7 +205,7 @@ public void sendWhenNoIdSpecifiedThenIntegratesWithAuthorizationManager() {
197205
public void sendWhenAnonymousMessageWithConnectMessageTypeThenAuthorizationManagerPermits() {
198206
this.spring.configLocations(xml("NoIdAuthorizationManager")).autowire();
199207
SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT);
200-
headers.setNativeHeader(this.token.getHeaderName(), this.token.getToken());
208+
headers.setNativeHeader(this.token.getHeaderName(), XOR_CSRF_TOKEN_VALUE);
201209
this.clientInboundChannel.send(message("/permitAll", headers));
202210
}
203211

0 commit comments

Comments
 (0)