spring-projects
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/messaging/MessageSecurityMetadataSourceRegistry.java
+4-1 b/‎config/src/main/java/org/springframework/security/config/annotation/web/messaging/MessageSecurityMetadataSourceRegistry.java
+4-1
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java
+4-1 b/‎config/src/main/java/org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java
+4-1
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/socket/EnableWebSocketSecurity.java
+58 b/‎config/src/main/java/org/springframework/security/config/annotation/web/socket/EnableWebSocketSecurity.java
+58
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/socket/MessageMatcherAuthorizationManagerConfiguration.java
+38 b/‎config/src/main/java/org/springframework/security/config/annotation/web/socket/MessageMatcherAuthorizationManagerConfiguration.java
+38
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/socket/WebSocketMessageBrokerSecurityConfiguration.java
+145 b/‎config/src/main/java/org/springframework/security/config/annotation/web/socket/WebSocketMessageBrokerSecurityConfiguration.java
+145
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@
 import org.springframework.security.config.annotation.web.configurers.RememberMeConfigurer;
 import org.springframework.security.messaging.access.expression.DefaultMessageSecurityExpressionHandler;
 import org.springframework.security.messaging.access.expression.ExpressionBasedMessageSecurityMetadataSourceFactory;
+import org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager;
 import org.springframework.security.messaging.access.intercept.MessageSecurityMetadataSource;
 import org.springframework.security.messaging.util.matcher.MessageMatcher;
 import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
@@ -43,7 +44,9 @@
  *
  * @author Rob Winch
  * @since 4.0
+ * @deprecated Use {@link MessageMatcherDelegatingAuthorizationManager} instead
  */
+@Deprecated
 public class MessageSecurityMetadataSourceRegistry {
 
 	private static final String permitAll = "permitAll";
 
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,9 +81,12 @@
  *
  * @author Rob Winch
  * @since 4.0
+ * @see WebSocketMessageBrokerSecurityConfiguration
+ * @deprecated Use {@link EnableWebSocketSecurity} instead
  */
 @Order(Ordered.HIGHEST_PRECEDENCE + 100)
 @Import(ObjectPostProcessorConfiguration.class)
+@Deprecated
 public abstract class AbstractSecurityWebSocketMessageBrokerConfigurer
 		implements WebSocketMessageBrokerConfigurer, SmartInitializingSingleton {
 
 
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.socket;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import org.springframework.context.annotation.Import;
+
+/**
+ * Allows configuring WebSocket Authorization.
+ *
+ * <p>
+ * For example:
+ * </p>
+ *
+ * <pre>
+ * &#064;Configuration
+ * &#064;EnableWebSocketSecurity
+ * public class WebSocketSecurityConfig {
+ *
+ * 	&#064;Bean
+ * 	AuthorizationManager&lt;Message&lt;?&gt;&gt; (MessageMatcherDelegatingAuthorizationManager.Builder messages) {
+ * 		messages.simpDestMatchers(&quot;/user/queue/errors&quot;).permitAll()
+ * 				.simpDestMatchers(&quot;/admin/**&quot;).hasRole(&quot;ADMIN&quot;)
+ * 				.anyMessage().authenticated();
+ *		return messages.build();
+ * 	}
+ * }
+ * </pre>
+ *
+ * @author Josh Cummings
+ * @since 5.8
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.TYPE)
+@Documented
+@Import(WebSocketMessageBrokerSecurityConfiguration.class)
+public @interface EnableWebSocketSecurity {
+
+}
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.socket;
+
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Scope;
+import org.springframework.messaging.simp.annotation.support.SimpAnnotationMethodMessageHandler;
+import org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager;
+import org.springframework.util.AntPathMatcher;
+
+final class MessageMatcherAuthorizationManagerConfiguration {
+
+	@Bean
+	@Scope("prototype")
+	MessageMatcherDelegatingAuthorizationManager.Builder messageAuthorizationManagerBuilder(
+			ApplicationContext context) {
+		return MessageMatcherDelegatingAuthorizationManager.builder().simpDestPathMatcher(
+				() -> (context.getBeanNamesForType(SimpAnnotationMethodMessageHandler.class).length > 0)
+						? context.getBean(SimpAnnotationMethodMessageHandler.class).getPathMatcher()
+						: new AntPathMatcher());
+	}
+
+}
@@ -0,0 +1,145 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.socket;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.beans.factory.SmartInitializingSingleton;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Import;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.messaging.Message;
+import org.springframework.messaging.handler.invocation.HandlerMethodArgumentResolver;
+import org.springframework.messaging.simp.config.ChannelRegistration;
+import org.springframework.messaging.support.ChannelInterceptor;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.authorization.SpringAuthorizationEventPublisher;
+import org.springframework.security.messaging.access.intercept.AuthorizationChannelInterceptor;
+import org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager;
+import org.springframework.security.messaging.context.AuthenticationPrincipalArgumentResolver;
+import org.springframework.security.messaging.context.SecurityContextChannelInterceptor;
+import org.springframework.security.messaging.web.csrf.CsrfChannelInterceptor;
+import org.springframework.security.messaging.web.socket.server.CsrfTokenHandshakeInterceptor;
+import org.springframework.util.Assert;
+import org.springframework.web.servlet.handler.SimpleUrlHandlerMapping;
+import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer;
+import org.springframework.web.socket.server.HandshakeInterceptor;
+import org.springframework.web.socket.server.support.WebSocketHttpRequestHandler;
+import org.springframework.web.socket.sockjs.SockJsService;
+import org.springframework.web.socket.sockjs.support.SockJsHttpRequestHandler;
+import org.springframework.web.socket.sockjs.transport.TransportHandlingSockJsService;
+
+@Order(Ordered.HIGHEST_PRECEDENCE + 100)
+@Import(MessageMatcherAuthorizationManagerConfiguration.class)
+final class WebSocketMessageBrokerSecurityConfiguration
+		implements WebSocketMessageBrokerConfigurer, SmartInitializingSingleton {
+
+	private static final String SIMPLE_URL_HANDLER_MAPPING_BEAN_NAME = "stompWebSocketHandlerMapping";
+
+	private MessageMatcherDelegatingAuthorizationManager b;
+
+	private static final AuthorizationManager<Message<?>> ANY_MESSAGE_AUTHENTICATED = MessageMatcherDelegatingAuthorizationManager
+			.builder().anyMessage().authenticated().build();
+
+	private final ChannelInterceptor securityContextChannelInterceptor = new SecurityContextChannelInterceptor();
+
+	private final ChannelInterceptor csrfChannelInterceptor = new CsrfChannelInterceptor();
+
+	private AuthorizationChannelInterceptor authorizationChannelInterceptor = new AuthorizationChannelInterceptor(
+			ANY_MESSAGE_AUTHENTICATED);
+
+	private ApplicationContext context;
+
+	WebSocketMessageBrokerSecurityConfiguration(ApplicationContext context) {
+		this.context = context;
+	}
+
+	@Override
+	public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentResolvers) {
+		argumentResolvers.add(new AuthenticationPrincipalArgumentResolver());
+	}
+
+	@Override
+	public void configureClientInboundChannel(ChannelRegistration registration) {
+		this.authorizationChannelInterceptor
+				.setAuthorizationEventPublisher(new SpringAuthorizationEventPublisher(this.context));
+		registration.interceptors(this.securityContextChannelInterceptor, this.csrfChannelInterceptor,
+				this.authorizationChannelInterceptor);
+	}
+
+	@Autowired(required = false)
+	void setAuthorizationManager(AuthorizationManager<Message<?>> authorizationManager) {
+		this.authorizationChannelInterceptor = new AuthorizationChannelInterceptor(authorizationManager);
+	}
+
+	@Override
+	public void afterSingletonsInstantiated() {
+		SimpleUrlHandlerMapping mapping = getBeanOrNull(SIMPLE_URL_HANDLER_MAPPING_BEAN_NAME,
+				SimpleUrlHandlerMapping.class);
+		if (mapping == null) {
+			return;
+		}
+		configureCsrf(mapping);
+	}
+
+	private <T> T getBeanOrNull(String name, Class<T> type) {
+		Map<String, T> beans = this.context.getBeansOfType(type);
+		return beans.get(name);
+	}
+
+	private void configureCsrf(SimpleUrlHandlerMapping mapping) {
+		Map<String, Object> mappings = mapping.getHandlerMap();
+		for (Object object : mappings.values()) {
+			if (object instanceof SockJsHttpRequestHandler) {
+				setHandshakeInterceptors((SockJsHttpRequestHandler) object);
+			}
+			else if (object instanceof WebSocketHttpRequestHandler) {
+				setHandshakeInterceptors((WebSocketHttpRequestHandler) object);
+			}
+			else {
+				throw new IllegalStateException(
+						"Bean " + SIMPLE_URL_HANDLER_MAPPING_BEAN_NAME + " is expected to contain mappings to either a "
+								+ "SockJsHttpRequestHandler or a WebSocketHttpRequestHandler but got " + object);
+			}
+		}
+	}
+
+	private void setHandshakeInterceptors(SockJsHttpRequestHandler handler) {
+		SockJsService sockJsService = handler.getSockJsService();
+		Assert.state(sockJsService instanceof TransportHandlingSockJsService,
+				() -> "sockJsService must be instance of TransportHandlingSockJsService got " + sockJsService);
+		TransportHandlingSockJsService transportHandlingSockJsService = (TransportHandlingSockJsService) sockJsService;
+		List<HandshakeInterceptor> handshakeInterceptors = transportHandlingSockJsService.getHandshakeInterceptors();
+		List<HandshakeInterceptor> interceptorsToSet = new ArrayList<>(handshakeInterceptors.size() + 1);
+		interceptorsToSet.add(new CsrfTokenHandshakeInterceptor());
+		interceptorsToSet.addAll(handshakeInterceptors);
+		transportHandlingSockJsService.setHandshakeInterceptors(interceptorsToSet);
+	}
+
+	private void setHandshakeInterceptors(WebSocketHttpRequestHandler handler) {
+		List<HandshakeInterceptor> handshakeInterceptors = handler.getHandshakeInterceptors();
+		List<HandshakeInterceptor> interceptorsToSet = new ArrayList<>(handshakeInterceptors.size() + 1);
+		interceptorsToSet.add(new CsrfTokenHandshakeInterceptor());
+		interceptorsToSet.addAll(handshakeInterceptors);
+		handler.setHandshakeInterceptors(interceptorsToSet);
+	}
+
+}