Skip to content

Add XorCsrfChannelInterceptor #12562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 26, 2023
Merged

Add XorCsrfChannelInterceptor #12562

merged 2 commits into from
Jan 26, 2023
+563 −58

Conversation

sjohnr
Copy link
Member

@sjohnr sjohnr commented Jan 18, 2023

No description provided.

@sjohnr sjohnr force-pushed the gh-12378-csrf-websocket-stomp branch from 51677bc to 4093468 Compare January 19, 2023 16:41
@sjohnr sjohnr marked this pull request as ready for review January 19, 2023 16:44
@sjohnr sjohnr linked an issue Jan 19, 2023 that may be closed by this pull request
Fix CSRF protection provided by @EnableWebSocketSecurity / Stomp #12378
Closed
@sjohnr sjohnr self-assigned this Jan 19, 2023
@sjohnr sjohnr requested a review from rwinch January 19, 2023 16:45
@sjohnr sjohnr added status: duplicate A duplicate of another issue in: messaging An issue in spring-security-messaging type: bug A general bug labels Jan 19, 2023
@sjohnr sjohnr force-pushed the gh-12378-csrf-websocket-stomp branch 3 times, most recently from 98e6a69 to 3bcddd4 Compare January 19, 2023 21:58
rwinch
rwinch requested changes Jan 20, 2023
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @sjohnr Overall this looks good. Once you have resolved the comments, from my perspective you can merge this.

@sjohnr sjohnr force-pushed the gh-12378-csrf-websocket-stomp branch from 3bcddd4 to dbe56d5 Compare January 23, 2023 21:40
@sjohnr sjohnr added this to the 5.8.2 milestone Jan 23, 2023
@sjohnr sjohnr removed the status: duplicate A duplicate of another issue label Jan 23, 2023
@sjohnr
Copy link
Member Author

sjohnr commented Jan 23, 2023

Note: Once this PR is merged, we can close gh-12378 by making XorCsrfChannelInterceptor the default in WebSocketMessageBrokerSecurityConfiguration.csrfChannelInterceptor.

@sjohnr sjohnr removed a link to an issue Jan 23, 2023
Fix CSRF protection provided by @EnableWebSocketSecurity / Stomp #12378
Closed
Steve Riesenberg added 2 commits January 23, 2023 16:00
Add XorCsrfChannelInterceptor
c306df9 
Issue spring-projectsgh-12378
Add section for migrating WebSocket support

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
33e72b3 
Issue spring-projectsgh-12378
@sjohnr sjohnr force-pushed the gh-12378-csrf-websocket-stomp branch from dbe56d5 to 33e72b3 Compare January 26, 2023 04:27
@sjohnr sjohnr merged commit 33e72b3 into spring-projects:5.8.x Jan 26, 2023
@sjohnr sjohnr deleted the gh-12378-csrf-websocket-stomp branch January 26, 2023 21:50
@sjohnr sjohnr added type: enhancement A general enhancement and removed type: bug A general bug labels Jan 26, 2023
@sjohnr sjohnr mentioned this pull request Aug 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch

Assignees

@sjohnr sjohnr

Labels
in: messaging An issue in spring-security-messaging type: enhancement A general enhancement
Projects
None yet
Milestone
5.8.2
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sjohnr @rwinch