generator-jhipster icon indicating copy to clipboard operation
generator-jhipster copied to clipboard

Published 20 hours ago verified publisher icon jhipster

Migrate to Spring Security 6's `@EnableWebSocketSecurity`

Open mraible opened this issue 1 year ago • 3 comments

Overview of the issue

Spring Security 6 introduces an @EnableWebSocketSecurity annotation to replace the deprecated AbstractSecurityWebSocketMessageBrokerConfigurer.

However, this annotation does not provide a way to disable CSRF for websockets.

From https://docs.spring.io/spring-security/reference/6.0/servlet/integrations/websocket.html:

NOTE: At this point, CSRF is not configurable when using @EnableWebSocketSecurity, though this will likely be added in a future release.

Motivation for or Use Case

We should not use deprecated classes where possible.

Reproduce the error

Generate an app with websockets and you'll see that WebsocketSecurityConfiguration extends a deprecated class. It'd be good to rename our Websocket classes to be WebSocket to be inline with Spring Security. However, it might be a pain for upgrading, so leaving the names as-is might be a good idea.

Related issues
  • https://github.com/jhipster/generator-jhipster/issues/19782

mraible avatar Nov 20 '22 18:11 mraible