spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Programmatic way to use expression-based authorization manager for websockets

Open lrozenblyum opened this issue 2 years ago • 1 comments

Expected Behavior When we configure MessageMatcherDelegatingAuthorizationManager it should be possible to provide an instance of a class that supports expression-based authorization to the method org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager.Builder.Constraint.access(AuthorizationManager<MessageAuthorizationContext<?>>)

In non-websocket world this is supported by org.springframework.security.web.access.expression.WebExpressionAuthorizationManager.WebExpressionAuthorizationManager(String)

Current Behavior WebSocket class that seems to be facilitating the same task (org.springframework.security.config.websocket.WebSocketMessageBrokerSecurityBeanDefinitionParser.ExpressionBasedAuthorizationManager) is private and looks to be used for XML config only

Context Spring Security 5.8.1. The issue is affecting us during migration from older Spring Security which supported expression-based access control via the method org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry.Constraint.access(String)

lrozenblyum avatar Feb 09 '23 09:02 lrozenblyum