-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong order of ChannelInterceptors? #250
Labels
Comments
@markusheiden or @olegz can you explain why this was moved here and what the expected fix would be? |
Sorry, but I don't know which Spring project is the root cause of the problem. My point: I am not able to use the bus together with Spring Security without manual fixes. Maybe I did setup something incorrectly, but I found no documentation about that. |
@olegz can you comment? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
I am using AbstractSecurityWebSocketMessageBrokerConfigurer with Spring Cloud Bus. The order of the ChannelInterceptors defined in the configurer leads to problems when not authenticated. Because ChannelSecurityInterceptor is added before SecurityContextChannelInterceptor, ChannelSecurityInterceptor has no security context when there is not already an authentication.
StreamBridge adds the ChannelInterceptors in the order it gets them from the application context which is CsrfChannelInterceptor, ChannelSecurityInterceptor, SecurityContextChannelInterceptor.
To Reproduce
Steps to reproduce the behavior:
messages.anyMessage().permitAll()
is sufficient.Version of the framework
3.1.1.
Expected behavior
An anonymous security context will be used and no failures.
Additional context
I manually changed the order of the ChannelInterceptors to CsrfChannelInterceptor, SecurityContextChannelInterceptor, ChannelSecurityInterceptor and it worked fine.
The text was updated successfully, but these errors were encountered: