diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java
index 3335a53aca..54d1e99a01 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/socket/AbstractSecurityWebSocketMessageBrokerConfigurer.java
@@ -88,7 +88,7 @@ public abstract class AbstractSecurityWebSocketMessageBrokerConfigurer extends A
public final void configureClientInboundChannel(ChannelRegistration registration) {
ChannelSecurityInterceptor inboundChannelSecurity = inboundChannelSecurity();
registration.setInterceptors(securityContextChannelInterceptor());
- if(sameOriginEnforced()) {
+ if(!sameOriginDisabled()) {
registration.setInterceptors(csrfChannelInterceptor());
}
if(inboundRegistry.containsMapping()) {
@@ -100,16 +100,16 @@ public abstract class AbstractSecurityWebSocketMessageBrokerConfigurer extends A
/**
*
* Determines if a CSRF token is required for connecting. This protects against remote sites from connecting to the
- * application and being able to read/write data over the connection. The default is true.
+ * application and being able to read/write data over the connection. The default is false (the token is required).
*
*
* Subclasses can override this method to disable CSRF protection
*
*
- * @return true if a CSRF is required for connecting, else false
+ * @return false if a CSRF token is required for connecting, else true
*/
- protected boolean sameOriginEnforced() {
- return true;
+ protected boolean sameOriginDisabled() {
+ return false;
}
/**
@@ -170,7 +170,7 @@ public abstract class AbstractSecurityWebSocketMessageBrokerConfigurer extends A
}
public void afterSingletonsInstantiated() {
- if(!sameOriginEnforced()) {
+ if(sameOriginDisabled()) {
return;
}
diff --git a/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
index 00e0169100..c9142628fb 100644
--- a/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java
@@ -86,6 +86,8 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
private static final String ID_ATTR = "id";
+ private static final String DISABLED_ATTR = "same-origin-disabled";
+
private static final String PATTERN_ATTR = "pattern";
private static final String ACCESS_ATTR = "access";
@@ -105,6 +107,8 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
ManagedMap matcherToExpression = new ManagedMap();
String id = element.getAttribute(ID_ATTR);
+ boolean sameOriginDisabled = Boolean.parseBoolean(element.getAttribute(DISABLED_ATTR));
+
List interceptMessages = DomUtils.getChildElementsByTagName(element, Elements.INTERCEPT_MESSAGE);
for(Element interceptMessage : interceptMessages) {
@@ -137,6 +141,7 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
} else {
BeanDefinitionBuilder mspp = BeanDefinitionBuilder.rootBeanDefinition(MessageSecurityPostProcessor.class);
mspp.addConstructorArgValue(inSecurityInterceptorName);
+ mspp.addConstructorArgValue(sameOriginDisabled);
context.registerWithGeneratedName(mspp.getBeanDefinition());
}
@@ -180,8 +185,11 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
private final String inboundSecurityInterceptorId;
- public MessageSecurityPostProcessor(String inboundSecurityInterceptorId) {
+ private final boolean sameOriginDisabled;
+
+ public MessageSecurityPostProcessor(String inboundSecurityInterceptorId, boolean sameOriginDisabled) {
this.inboundSecurityInterceptorId = inboundSecurityInterceptorId;
+ this.sameOriginDisabled = sameOriginDisabled;
}
public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) throws BeansException {
@@ -212,7 +220,9 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
}
ManagedList