generator-jhipster icon indicating copy to clipboard operation
generator-jhipster copied to clipboard
verified publisher icon jhipster

Migrate to Spring Security 6's `@EnableWebSocketSecurity`

Open mraible opened this issue 3 years ago • 8 comments

Overview of the issue

Spring Security 6 introduces an @EnableWebSocketSecurity annotation to replace the deprecated AbstractSecurityWebSocketMessageBrokerConfigurer.

However, this annotation does not provide a way to disable CSRF for websockets.

From https://docs.spring.io/spring-security/reference/6.0/servlet/integrations/websocket.html:

NOTE: At this point, CSRF is not configurable when using @EnableWebSocketSecurity, though this will likely be added in a future release.

Motivation for or Use Case

We should not use deprecated classes where possible.

Reproduce the error

Generate an app with websockets and you'll see that WebsocketSecurityConfiguration extends a deprecated class. It'd be good to rename our Websocket classes to be WebSocket to be inline with Spring Security. However, it might be a pain for upgrading, so leaving the names as-is might be a good idea.

Related issues
  • https://github.com/jhipster/generator-jhipster/issues/19782

mraible avatar Nov 20 '22 18:11 mraible

This issue is stale because it has been open for too long without any activity. Due to the moving nature of jhipster generated application, bugs can become invalid. If this issue still applies please comment otherwise it will be closed in 7 days

github-actions[bot] avatar Jan 11 '24 00:01 github-actions[bot]

Keep it open.

atomfrede avatar Jan 11 '24 05:01 atomfrede

Is there a workaround for this that does not involve using the deprecated MessageSecurityMetadataSourceRegistry?

mdmm13 avatar Apr 10 '24 07:04 mdmm13