1 сар өмнө · 4f5b17334e
--- a/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
@@ -301,6 +301,8 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 
				 
			
 
				 		private static final String CLIENT_INBOUND_CHANNEL_BEAN_ID = "clientInboundChannel";
			
 
				 
			
 
				+		private static final String CSRF_CHANNEL_INTERCEPTOR_BEAN_ID = "csrfChannelInterceptor";
			
 
				+
			
 
				 		private static final String INTERCEPTORS_PROP = "interceptors";
			
 
				 
			
 
				 		private static final String CUSTOM_ARG_RESOLVERS_PROP = "customArgumentResolvers";
			
@@ -356,7 +358,12 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 
				 			ManagedList<Object> interceptors = new ManagedList();
			
 
				 			interceptors.add(new RootBeanDefinition(SecurityContextChannelInterceptor.class));
			
 
				 			if (!this.sameOriginDisabled) {
			
 
				-				interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
			
 
				+				if (!registry.containsBeanDefinition(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID)) {
			
 
				+					interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
			
 
				+				}
			
 
				+				else {
			
 
				+					interceptors.add(new RuntimeBeanReference(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID));
			
 
				+				}
			
 
				 			}
			
 
				 			interceptors.add(registry.getBeanDefinition(this.inboundSecurityInterceptorId));
			
 
				 			BeanDefinition inboundChannel = registry.getBeanDefinition(CLIENT_INBOUND_CHANNEL_BEAN_ID);
			
--- a/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java
@@ -44,6 +44,7 @@ import org.springframework.messaging.handler.invocation.HandlerMethodArgumentRes
 
				 import org.springframework.messaging.simp.SimpMessageHeaderAccessor;
			
 
				 import org.springframework.messaging.simp.SimpMessageType;
			
 
				 import org.springframework.messaging.support.ChannelInterceptor;
			
 
				+import org.springframework.messaging.support.ExecutorSubscribableChannel;
			
 
				 import org.springframework.messaging.support.GenericMessage;
			
 
				 import org.springframework.security.access.AccessDeniedException;
			
 
				 import org.springframework.security.access.expression.SecurityExpressionOperations;
			
@@ -496,6 +497,16 @@ public class WebSocketMessageBrokerConfigTests {
 
				 		verify(authorizationManager).check(any(), any());
			
 
				 	}
			
 
				 
			
 
				+	@Test
			
 
				+	public void configureWhenCsrfChannelInterceptorBeanThenUses() {
			
 
				+		this.spring.configLocations(xml("CustomCsrfInterceptor")).autowire();
			
 
				+		ExecutorSubscribableChannel channel = this.spring.getContext()
			
 
				+			.getBean("clientInboundChannel", ExecutorSubscribableChannel.class);
			
 
				+		ChannelInterceptor interceptor = this.spring.getContext()
			
 
				+			.getBean("csrfChannelInterceptor", ChannelInterceptor.class);
			
 
				+		assertThat(channel.getInterceptors()).contains(interceptor);
			
 
				+	}
			
 
				+
			
 
				 	private String xml(String configName) {
			
 
				 		return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
			
 
				 	}
			
--- a/config/src/test/resources/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests-CustomCsrfInterceptor.xml
+++ b/config/src/test/resources/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests-CustomCsrfInterceptor.xml
@@ -0,0 +1,34 @@
 
				+<?xml version="1.0" encoding="UTF-8"?>
			
 
				+<!--
			
 
				+  ~ Copyright 2002-2018 the original author or authors.
			
 
				+  ~
			
 
				+  ~ Licensed under the Apache License, Version 2.0 (the "License");
			
 
				+  ~ you may not use this file except in compliance with the License.
			
 
				+  ~ You may obtain a copy of the License at
			
 
				+  ~
			
 
				+  ~      https://www.apache.org/licenses/LICENSE-2.0
			
 
				+  ~
			
 
				+  ~ Unless required by applicable law or agreed to in writing, software
			
 
				+  ~ distributed under the License is distributed on an "AS IS" BASIS,
			
 
				+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			
 
				+  ~ See the License for the specific language governing permissions and
			
 
				+  ~ limitations under the License.
			
 
				+  -->
			
 
				+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
			
 
				+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
			
 
				+		 xmlns="http://www.springframework.org/schema/security"
			
 
				+		 xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
			
 
				+		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
			
 
				+
			
 
				+	<b:import resource="classpath:org/springframework/security/config/websocket/controllers.xml"/>
			
 
				+	<b:import resource="classpath:org/springframework/security/config/websocket/websocket.xml"/>
			
 
				+
			
 
				+	<b:bean id="csrfChannelInterceptor" class="org.mockito.Mockito" factory-method="mock">
			
 
				+		<b:constructor-arg value="org.springframework.messaging.support.ChannelInterceptor"  type="java.lang.Class"/>
			
 
				+	</b:bean>
			
 
				+
			
 
				+	<websocket-message-broker use-authorization-manager="false">
			
 
				+		<intercept-message pattern="/**" access="denyNile()"/>
			
 
				+	</websocket-message-broker>
			
 
				+
			
 
				+</b:beans>