SEC-2853: Rename WebSocket XML Namespace elements

config/src/main/java/org/springframework/security/config/Elements.java

@@ -55,6 +55,6 @@ public abstract class Elements {
     public static final String HEADERS = "headers";
     public static final String CSRF = "csrf";
 
-    public static final String MESSAGES = "messages";
-    public static final String INTERCEPT_MESSAGE = "message-interceptor";
+    public static final String WEBSOCKET_MESSAGE_BROKER = "websocket-message-broker";
+    public static final String INTERCEPT_MESSAGE = "intercept-message";
 }

config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java

@@ -38,10 +38,10 @@ import org.springframework.security.config.http.HttpSecurityBeanDefinitionParser
 import org.springframework.security.config.ldap.LdapProviderBeanDefinitionParser;
 import org.springframework.security.config.ldap.LdapServerBeanDefinitionParser;
 import org.springframework.security.config.ldap.LdapUserServiceBeanDefinitionParser;
-import org.springframework.security.config.message.MessageSecurityBeanDefinitionParser;
 import org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser;
 import org.springframework.security.config.method.InterceptMethodsBeanDefinitionDecorator;
 import org.springframework.security.config.method.MethodSecurityMetadataSourceBeanDefinitionParser;
+import org.springframework.security.config.websocket.WebSocketMessageBrokerSecurityBeanDefinitionParser;
 import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.util.ClassUtils;
 import org.w3c.dom.Element;
@@ -179,7 +179,7 @@ public final class SecurityNamespaceHandler implements NamespaceHandler {
         }
 
         if(ClassUtils.isPresent(MESSAGE_CLASSNAME, getClass().getClassLoader())) {
-            parsers.put(Elements.MESSAGES, new MessageSecurityBeanDefinitionParser());
+            parsers.put(Elements.WEBSOCKET_MESSAGE_BROKER, new WebSocketMessageBrokerSecurityBeanDefinitionParser());
         }
     }
 

config/src/main/java/org/springframework/security/config/message/MessageSecurityBeanDefinitionParser.java → config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.config.message;
+package org.springframework.security.config.websocket;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -42,13 +42,13 @@ import org.w3c.dom.Element;
 import java.util.List;
 
 /**
- * Parses Spring Security's message namespace support. A simple example is:
+ * Parses Spring Security's websocket namespace support. A simple example is:
  *
  * <code>
- * &lt;messages&gt;
- *     &lt;message-interceptor pattern='/permitAll' access='permitAll' /&gt;
- *     &lt;message-interceptor pattern='/denyAll' access='denyAll' /&gt;
- * &lt;/messages&gt;
+ * &lt;websocket-message-broker&gt;
+ *     &lt;intercept-message pattern='/permitAll' access='permitAll' /&gt;
+ *     &lt;intercept-message pattern='/denyAll' access='denyAll' /&gt;
+ * &lt;/websocket-message-broker&gt;
  * </code>
  *
  * <p>
@@ -63,10 +63,10 @@ import java.util.List;
  * </p>
  *
  * <code>
- * &lt;messages id="channelSecurityInterceptor"&gt;
- *     &lt;message-interceptor pattern='/permitAll' access='permitAll' /&gt;
- *     &lt;message-interceptor pattern='/denyAll' access='denyAll' /&gt;
- * &lt;/messages&gt;
+ * &lt;websocket-message-broker id="channelSecurityInterceptor"&gt;
+ *     &lt;intercept-message pattern='/permitAll' access='permitAll' /&gt;
+ *     &lt;intercept-message pattern='/denyAll' access='denyAll' /&gt;
+ * &lt;/websocket-message-broker&gt;
  * </code>
  *
  * <p>
@@ -78,8 +78,8 @@ import java.util.List;
  * @author Rob Winch
  * @since 4.0
  */
-public final class MessageSecurityBeanDefinitionParser implements BeanDefinitionParser {
-    private static final Log logger = LogFactory.getLog(MessageSecurityBeanDefinitionParser.class);
+public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements BeanDefinitionParser {
+    private static final Log logger = LogFactory.getLog(WebSocketMessageBrokerSecurityBeanDefinitionParser.class);
 
     private static final String ID_ATTR = "id";
 

config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc

@@ -272,22 +272,22 @@ protect-pointcut.attlist &=
     ## Access configuration attributes list that applies to all methods matching the pointcut, e.g. "ROLE_A,ROLE_B"
     attribute access {xsd:token}
 
-messages =
+websocket-message-broker =
     ## Allows securing a Message Broker. There are two modes. If no id is specified: ensures that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver; ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel; and that a ChannelSecurityInterceptor is registered with the clientInboundChannel. If the id is specified, creates a ChannelSecurityInterceptor that can be manually registered with the clientInboundChannel.
-    element messages { messages.attrlist, (message-interceptor*) }
+    element websocket-message-broker { websocket-message-broker.attrlist, (intercept-message*) }
 
-messages.attrlist &=
+websocket-message-broker.attrlist &=
     ## A bean identifier, used for referring to the bean elsewhere in the context. If specified, explicit configuration within clientInboundChannel is required. If not specified, ensures that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver; ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel; and that a ChannelSecurityInterceptor is registered with the clientInboundChannel.
     attribute id {xsd:token}?
 
-message-interceptor =
-    ## Creates an authorization rule for a message.
-    element message-interceptor {message-interceptor.attrlist}
+intercept-message =
+    ## Creates an authorization rule for a websocket message.
+    element intercept-message {intercept-message.attrlist}
 
-message-interceptor.attrlist &=
+intercept-message.attrlist &=
     ## The destination ant pattern which will be mapped to the access attribute. For example, /** matches any message with a destination, /admin/** matches any message that has a destination that starts with admin.
     attribute pattern {xsd:token}?
-message-interceptor.attrlist &=
+intercept-message.attrlist &=
      ## The access configuration attributes that apply for the configured message. For example, permitAll grants access to anyone, hasRole('ROLE_ADMIN') requires the user have the role 'ROLE_ADMIN'.
     attribute access {xsd:token}?
 

config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd

@@ -839,7 +839,7 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  <xs:element name="messages">
+  <xs:element name="websocket-message-broker">
       <xs:annotation>
          <xs:documentation>Allows securing a Message Broker. There are two modes. If no id is specified: ensures that
                 any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver
@@ -852,12 +852,12 @@
       </xs:annotation>
       <xs:complexType>
          <xs:sequence>
-            <xs:element minOccurs="0" maxOccurs="unbounded" ref="security:message-interceptor"/>
+            <xs:element minOccurs="0" maxOccurs="unbounded" ref="security:intercept-message"/>
          </xs:sequence>
-         <xs:attributeGroup ref="security:messages.attrlist"/>
+         <xs:attributeGroup ref="security:websocket-message-broker.attrlist"/>
       </xs:complexType>
    </xs:element>
-  <xs:attributeGroup name="messages.attrlist">
+  <xs:attributeGroup name="websocket-message-broker.attrlist">
       <xs:attribute name="id" type="xs:token">
          <xs:annotation>
             <xs:documentation>A bean identifier, used for referring to the bean elsewhere in the context. If specified,
@@ -871,16 +871,16 @@
          </xs:annotation>
       </xs:attribute>
   </xs:attributeGroup>
-  <xs:element name="message-interceptor">
+  <xs:element name="intercept-message">
       <xs:annotation>
-         <xs:documentation>Creates an authorization rule for a message.
+         <xs:documentation>Creates an authorization rule for a websocket message.
                 </xs:documentation>
       </xs:annotation>
       <xs:complexType>
-         <xs:attributeGroup ref="security:message-interceptor.attrlist"/>
+         <xs:attributeGroup ref="security:intercept-message.attrlist"/>
       </xs:complexType>
    </xs:element>
-  <xs:attributeGroup name="message-interceptor.attrlist">
+  <xs:attributeGroup name="intercept-message.attrlist">
       <xs:attribute name="pattern" type="xs:token">
          <xs:annotation>
             <xs:documentation>The destination ant pattern which will be mapped to the access attribute. For example, /**

config/src/test/groovy/org/springframework/security/config/doc/XsdDocumentedTests.groovy

@@ -29,7 +29,7 @@ import spock.lang.*
  */
 class XsdDocumentedTests extends Specification {
 
-    def ignoredIds = ['nsa-any-user-service','nsa-any-user-service-parents','nsa-authentication','nsa-message-security','nsa-ldap','nsa-method-security','nsa-web']
+    def ignoredIds = ['nsa-any-user-service','nsa-any-user-service-parents','nsa-authentication','nsa-websocket-security','nsa-ldap','nsa-method-security','nsa-web']
     @Shared def reference = new File('../docs/manual/src/docs/asciidoc/index.adoc')
 
     @Shared File schema31xDocument = new File('src/main/resources/org/springframework/security/config/spring-security-3.1.xsd')

config/src/test/groovy/org/springframework/security/config/message/MessagesConfigTests.groovy → config/src/test/groovy/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.groovy

@@ -1,4 +1,4 @@
-package org.springframework.security.config.message
+package org.springframework.security.config.websocket
 
 import org.springframework.beans.BeansException
 import org.springframework.beans.factory.config.BeanDefinition
@@ -47,7 +47,7 @@ import org.springframework.security.core.context.SecurityContextHolder
  *
  * @author Rob Winch
  */
-class MessagesConfigTests extends AbstractXmlConfigTests {
+class WebSocketMessageBrokerConfigTests extends AbstractXmlConfigTests {
     Authentication messageUser = new TestingAuthenticationToken('user','pass','ROLE_USER')
     boolean useSockJS = false
 
@@ -55,11 +55,11 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
         SecurityContextHolder.clearContext()
     }
 
-    def 'messages with no id automatically integrates with clientInboundChannel'() {
+    def 'websocket with no id automatically integrates with clientInboundChannel'() {
         setup:
-        messages {
-            'message-interceptor'(pattern:'/permitAll',access:'permitAll')
-            'message-interceptor'(pattern:'/denyAll',access:'denyAll')
+        websocket {
+            'intercept-message'(pattern:'/permitAll',access:'permitAll')
+            'intercept-message'(pattern:'/denyAll',access:'denyAll')
         }
 
 
@@ -76,9 +76,9 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
 
     def 'anonymous authentication supported'() {
         setup:
-        messages {
-            'message-interceptor'(pattern:'/permitAll',access:'permitAll')
-            'message-interceptor'(pattern:'/denyAll',access:'denyAll')
+        websocket {
+            'intercept-message'(pattern:'/permitAll',access:'permitAll')
+            'intercept-message'(pattern:'/denyAll',access:'denyAll')
         }
         messageUser = null
 
@@ -94,8 +94,8 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
         def id = 'authenticationController'
         bean(id,MyController)
         bean('inPostProcessor',InboundExecutorPostProcessor)
-        messages {
-            'message-interceptor'(pattern:'/**',access:'permitAll')
+        websocket {
+            'intercept-message'(pattern:'/**',access:'permitAll')
         }
 
         when: 'message is sent to the authentication endpoint'
@@ -111,8 +111,8 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
         def id = 'authenticationController'
         bean(id,MyController)
         bean('inPostProcessor',InboundExecutorPostProcessor)
-        messages {
-            'message-interceptor'(pattern:'/**',access:'permitAll')
+        websocket {
+            'intercept-message'(pattern:'/**',access:'permitAll')
         }
 
         SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT)
@@ -142,8 +142,8 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
         def id = 'authenticationController'
         bean(id,MyController)
         bean('inPostProcessor',InboundExecutorPostProcessor)
-        messages {
-            'message-interceptor'(pattern:'/**',access:'permitAll')
+        websocket {
+            'intercept-message'(pattern:'/**',access:'permitAll')
         }
 
         SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT)
@@ -175,11 +175,11 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
         def id = 'authenticationController'
         bean(id,MyController)
         bean('inPostProcessor',InboundExecutorPostProcessor)
-        messages {
-            'message-interceptor'(pattern:'/**',access:'permitAll')
+        websocket {
+            'intercept-message'(pattern:'/**',access:'permitAll')
         }
 
-        when: 'message of type CONNECTION is sent without CsrfTOken'
+        when: 'websocket of type CONNECTION is sent without CsrfTOken'
         SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT)
         Message<?> message = message(headers,'/authentication')
         clientInboundChannel.send(message)
@@ -189,7 +189,7 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
         expected.cause instanceof MissingCsrfTokenException
     }
 
-    def 'messages with no id does not override customArgumentResolvers'() {
+    def 'websocket with no id does not override customArgumentResolvers'() {
         setup:
         def id = 'authenticationController'
         bean(id,MyController)
@@ -205,11 +205,11 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
                 'b:ref'(bean:'mcar')
             }
         }
-        messages {
-            'message-interceptor'(pattern:'/**',access:'permitAll')
+        websocket {
+            'intercept-message'(pattern:'/**',access:'permitAll')
         }
 
-        when: 'message is sent to the myCustom endpoint'
+        when: 'websocket is sent to the myCustom endpoint'
         clientInboundChannel.send(message('/myCustom'))
 
         then: 'myCustomArgument is resolved'
@@ -217,10 +217,10 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
         controller.myCustomArgument!= null
     }
 
-    def 'messages with id does not integrate with clientInboundChannel'() {
+    def 'websocket with id does not integrate with clientInboundChannel'() {
         setup:
-        messages([id:'inCsi']) {
-            'message-interceptor'(pattern:'/**',access:'denyAll')
+        websocket([id:'inCsi']) {
+            'intercept-message'(pattern:'/**',access:'denyAll')
         }
 
         when:
@@ -231,8 +231,8 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
 
     }
 
-    def 'messages with id can be explicitly integrated with clientInboundChannel'() {
-        setup: 'message security explicitly setup'
+    def 'websocket with id can be explicitly integrated with clientInboundChannel'() {
+        setup: 'websocket security explicitly setup'
         xml.'websocket:message-broker' {
             'websocket:transport' {}
             'websocket:stomp-endpoint'(path:'/app') {
@@ -246,8 +246,8 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
                 }
             }
         }
-        xml.messages(id:'inCsi') {
-            'message-interceptor'(pattern:'/**',access:'denyAll')
+        xml.'websocket-message-broker'(id:'inCsi') {
+            'intercept-message'(pattern:'/**',access:'denyAll')
         }
         createAppContext()
 
@@ -276,9 +276,9 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
                 }
             }
         }
-        xml.messages {
-            'message-interceptor'(pattern:'/denyAll',access:'denyAll')
-            'message-interceptor'(pattern:'/permitAll',access:'permitAll')
+        xml.'websocket-message-broker' {
+            'intercept-message'(pattern:'/denyAll',access:'denyAll')
+            'intercept-message'(pattern:'/permitAll',access:'permitAll')
         }
         createAppContext()
         ChannelInterceptor mci = appContext.getBean('mci')
@@ -291,7 +291,7 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
 
     }
 
-    def messages(Map<String,Object> attrs=[:], Closure c) {
+    def websocket(Map<String,Object> attrs=[:], Closure c) {
         bean('testHandler', TestHandshakeHandler)
         xml.'websocket:message-broker' {
             'websocket:transport' {}
@@ -306,7 +306,7 @@ class MessagesConfigTests extends AbstractXmlConfigTests {
             }
             'websocket:simple-broker'(prefix:"/queue, /topic"){}
         }
-        xml.messages(attrs, c)
+        xml.'websocket-message-broker'(attrs, c)
         createAppContext()
     }
 

config/src/test/java/org/springframework/security/config/SecurityNamespaceHandlerTests.java

@@ -127,12 +127,12 @@ public class SecurityNamespaceHandlerTests {
 
 
     @Test
-    public void messageNotFoundExceptionNoMessageBlock() throws Exception {
+    public void websocketNotFoundExceptionNoMessageBlock() throws Exception {
         String className = FILTER_CHAIN_PROXY_CLASSNAME;
         spy(ClassUtils.class);
         doThrow(new ClassNotFoundException(className)).when(ClassUtils.class,"forName",eq(Message.class.getName()),any(ClassLoader.class));
         new InMemoryXmlApplicationContext(
                 XML_AUTHENTICATION_MANAGER);
-        // should load just fine since no message block
+        // should load just fine since no websocket block
     }
 }

docs/manual/src/docs/asciidoc/index.adoc

@@ -7790,15 +7790,15 @@ Enables the use of expressions in the 'access' attributes in <intercept-url> ele
 
 * <<nsa-intercept-url,intercept-url>>
 
-[[nsa-message-security]]
-=== Message/WebSocket Security
+[[nsa-websocket-security]]
+=== WebSocket Security
 
 Spring Security 4.0+ provides support for authorizing messages. One concrete example of where this is useful is to provide authorization in WebSocket based applications.
 
-[[nsa-messages]]
-==== <messages>
+[[nsa-websocket-message-broker]]
+==== <websocket-message-broker>
 
-The messages attribute has two different modes. If the <<nsa-messages-id>> is not specified, then it will do the following things:
+The websocket-message-broker element has two different modes. If the <<nsa-websocket-id>> is not specified, then it will do the following things:
 
 * Ensure that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver. This allows the use of `@AuthenticationPrincipal` to resolve the principal of the current `Authentication`
 * Ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel. This populates the SecurityContextHolder with the user that is found in the Message
@@ -7809,38 +7809,38 @@ The messages attribute has two different modes. If the <<nsa-messages-id>> is no
 If additional control is necessary, the id can be specified and a ChannelSecurityInterceptor will be assigned to the specified id. All the wiring with Spring's messaging infrastructure can then be done manually. This is more cumbersome, but provides greater control over the configuration.
 
 
-[[nsa-messages-attributes]]
-===== <messages> Attributes
+[[nsa-websocket-message-broker-attributes]]
+===== <websocket-message-broker> Attributes
 
-[[nsa-messages-id]]
-* **id** A bean identifier, used for referring to the ChannelSecurityInterceptor bean elsewhere in the context. If specified, Spring Security requires explicit configuration within Spring Messaging. If not specified, Spring Security will automatically integrate with the messaging infrastructure as described in <<nsa-messages>>
+[[nsa-websocket-message-broker-id]]
+* **id** A bean identifier, used for referring to the ChannelSecurityInterceptor bean elsewhere in the context. If specified, Spring Security requires explicit configuration within Spring Messaging. If not specified, Spring Security will automatically integrate with the messaging infrastructure as described in <<nsa-websocket-message-broker>>
 
-[[nsa-messages-children]]
-===== Child Elements of <messages>
+[[nsa-websocket-message-broker-children]]
+===== Child Elements of <websocket-message-broker>
 
 
-* <<nsa-message-interceptor,message-interceptor>>
+* <<nsa-intercept-message,intercept-message>>
 
-[[nsa-message-interceptor]]
-==== <message-interceptor>
+[[nsa-intercept-message]]
+==== <intercept-message>
 
 Defines an authorization rule for a message.
 
 
-[[nsa-message-interceptor-parents]]
-===== Parent Elements of <message-interceptor>
+[[nsa-intercept-message-parents]]
+===== Parent Elements of <intercept-message>
 
 
-* <<nsa-messages,messages>>
+* <<nsa-websocket-message-broker,websocket-message-broker>>
 
 
-[[nsa-message-interceptor-attributes]]
-===== <message-interceptor> Attributes
+[[nsa-intercept-message-attributes]]
+===== <intercept-message> Attributes
 
-[[nsa-message-interceptor-pattern]]
+[[nsa-intercept-message-pattern]]
 * **pattern** An ant based pattern that matches on the Message destination. For example, "/**" matches any Message with a destination; "/admin/**" matches any Message that has a destination that starts with "/admin/**".
 
-[[nsa-message-interceptor-access]]
+[[nsa-intercept-message-access]]
 * **access** The expression used to secure the Message. For example, "denyAll" will deny access to all of the matching Messages; "permitAll" will grant access to all of the matching Messages; "hasRole('ADMIN') requires the current user to have the role 'ROLE_ADMIN' for the matching Messages.
 
 [[nsa-authentication]]

messaging/src/test/java/org/springframework/security/messaging/context/SecurityContextChannelInterceptorTests.java

@@ -197,7 +197,7 @@ public class SecurityContextChannelInterceptorTests {
     }
 
     /**
-     * If a user sends a message when processing another message
+     * If a user sends a websocket when processing another websocket
      *
      * @throws Exception
      */
@@ -213,7 +213,7 @@ public class SecurityContextChannelInterceptorTests {
 
         assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(authentication);
 
-        // start send message
+        // start send websocket
         messageBuilder.setHeader(SimpMessageHeaderAccessor.USER_HEADER, null);
         interceptor.beforeHandle(messageBuilder.build(), channel, handler);
 
@@ -222,7 +222,7 @@ public class SecurityContextChannelInterceptorTests {
         interceptor.afterMessageHandled(messageBuilder.build(), channel, handler, null);
 
         assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(authentication);
-        // end send message
+        // end send websocket
 
         interceptor.afterMessageHandled(messageBuilder.build(), channel, handler, null);