Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2827: MessageMatcher Ambiguities #3050

Closed
spring-projects-issues opened this issue Jan 23, 2015 · 1 comment
Closed

SEC-2827: MessageMatcher Ambiguities #3050

spring-projects-issues opened this issue Jan 23, 2015 · 1 comment

Comments

@spring-projects-issues
Copy link

@spring-projects-issues spring-projects-issues commented Jan 23, 2015

Rob Winch (Migrated from SEC-2827) said:

Right now the following is confusing:

protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
        messages
            .antMatchers(SimpMessageType.CONNECT,"/**").authenticated()

}

because Connect does not have a destination and it appears to match any Connect. What's more, the following:

protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
        messages
            .antMatchers(SimpMessageType.CONNECT,"/abc").authenticated()

}

should not be allowed.

h2. Fixes

  • The types that are allowed should only be SEND, SUBSCRIBE, and MESSAGE. Furthermore, we should make it difficult (or impossible) to instantiate an instance that is invalid. Consider using something like a static factory method in SimpDestinationMessageMatcher to ensure that only valid types are being used with a destination.
  • We should also consider changing the method names on MessageSecurityMetadataSourceRegistry to better align:
  • antMatchers is better expressed as simpDestMatchers (it is not necessarily ant)
  • typeMatchers better simpTypeMatchers
  • Do not allow the SimpType to be passed in. Instead use simpMessageDestMatchers, simpSubscribeDestMatchers, simpMessageDestMatchers
  • Look at XML equivalent to ensure this is also fixed
@spring-projects-issues
Copy link
Author

@spring-projects-issues spring-projects-issues commented Jan 23, 2015

Rob Winch said:

Example of what it looks like now:

@Configuration
public class WebSocketSecurityConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer {

    protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
        messages
            .simpDestMessageMatchers("/app/**").authenticated()
            .simpDestSubscribeMatchers("/user/**","/topic/friends/*").authenticated()
            .simpDestSubscribeMatchers("/**").denyAll()

            // (i.e. NOT SimpMessageType.SUBSCRIBE and SimpMessageType.MESSAGE)
            .nullDestMatcher().authenticated()

            // (i.e. cannot send messages directly to /topic/, /queue/, /user/)
            // (i.e. cannot subscribe to /topic/messages/* to get messages sent to /topic/messages-user<id>)
            .anyMessage().denyAll();
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants