generator-jhipster
generator-jhipster copied to clipboard
Migrate to Spring Security 6's `@EnableWebSocketSecurity`
Overview of the issue
Spring Security 6 introduces an @EnableWebSocketSecurity
annotation to replace the deprecated AbstractSecurityWebSocketMessageBrokerConfigurer
.
However, this annotation does not provide a way to disable CSRF for websockets.
From https://docs.spring.io/spring-security/reference/6.0/servlet/integrations/websocket.html:
NOTE: At this point, CSRF is not configurable when using
@EnableWebSocketSecurity
, though this will likely be added in a future release.
Motivation for or Use Case
We should not use deprecated classes where possible.
Reproduce the error
Generate an app with websockets and you'll see that WebsocketSecurityConfiguration
extends a deprecated class. It'd be good to rename our Websocket
classes to be WebSocket
to be inline with Spring Security. However, it might be a pain for upgrading, so leaving the names as-is might be a good idea.
Related issues
- https://github.com/jhipster/generator-jhipster/issues/19782