Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Add section for migrating WebSocket support

Issue gh-12378
Steve Riesenberg 2 years ago
parent
c306df9b46
commit
33e72b35f9
1 changed files with 62 additions and 0 deletions
Split View Show Diff Stats
  1. 62 0
      docs/modules/ROOT/pages/migration/servlet/exploits.adoc

+ 62 - 0
docs/modules/ROOT/pages/migration/servlet/exploits.adoc
View File 

@@ -243,3 +243,65 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
 
 ==== I need to opt out of CSRF BREACH protection for another reason
 
 
 If CSRF BREACH protection does not work for you for another reason, you can opt out using the configuration from the <<servlet-opt-in-defer-loading-csrf-token>> section.
 
+
 
+== CSRF BREACH with WebSocket support
 
+
 
+If the steps for <<Protect against CSRF BREACH>> work for normal HTTP requests and you are using xref:servlet/integrations/websocket.adoc[WebSocket Security] support, then you can also opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` with xref:servlet/integrations/websocket.adoc#websocket-sameorigin-csrf[Stomp headers].
 
+
 
+.WebSocket Security BREACH Protection
 
+====
 
+.Java
 
+[source,java,role="primary"]
 
+----
 
+@Bean
 
+ChannelInterceptor csrfChannelInterceptor() {
 
+	return new XorCsrfChannelInterceptor();
 
+}
 
+----
 
+
 
+.Kotlin
 
+[source,kotlin,role="secondary"]
 
+----
 
+@Bean
 
+open fun csrfChannelInterceptor(): ChannelInterceptor {
 
+	return XorCsrfChannelInterceptor()
 
+}
 
+----
 
+
 
+.XML
 
+[source,xml,role="secondary"]
 
+----
 
+<b:bean id="csrfChannelInterceptor"
 
+	class="org.springframework.security.messaging.web.csrf.XorCsrfChannelInterceptor"/>
 
+----
 
+====
 
+
 
+If configuring CSRF BREACH protection for WebSocket Security gives you trouble, you can configure the 5.8 default using the following configuration:
 
+
 
+.Configure WebSocket Security with 5.8 default
 
+====
 
+.Java
 
+[source,java,role="primary"]
 
+----
 
+@Bean
 
+ChannelInterceptor csrfChannelInterceptor() {
 
+	return new CsrfChannelInterceptor();
 
+}
 
+----
 
+
 
+.Kotlin
 
+[source,kotlin,role="secondary"]
 
+----
 
+@Bean
 
+open fun csrfChannelInterceptor(): ChannelInterceptor {
 
+	return CsrfChannelInterceptor()
 
+}
 
+----
 
+
 
+.XML
 
+[source,xml,role="secondary"]
 
+----
 
+<b:bean id="csrfChannelInterceptor"
 
+	class="org.springframework.security.messaging.web.csrf.CsrfChannelInterceptor"/>
 
+----
 
+====