Use PathPatternMessageMatcher By Default

Issue gh-17501

Author: jzheaux

config/src/main/java/org/springframework/security/config/annotation/web/socket/MessageMatcherAuthorizationManagerConfiguration.java

@@ -16,29 +16,24 @@
 
 package org.springframework.security.config.annotation.web.socket;
 
-import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Fallback;
 import org.springframework.context.annotation.Scope;
-import org.springframework.messaging.simp.annotation.support.SimpAnnotationMethodMessageHandler;
+import org.springframework.security.config.web.messaging.PathPatternMessageMatcherBuilderFactoryBean;
 import org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager;
-import org.springframework.security.messaging.util.matcher.MessageMatcherFactory;
-import org.springframework.util.AntPathMatcher;
 
 final class MessageMatcherAuthorizationManagerConfiguration {
 
+	@Bean
+	@Fallback
+	PathPatternMessageMatcherBuilderFactoryBean messageMatcherBuilderFactoryBean() {
+		return new PathPatternMessageMatcherBuilderFactoryBean();
+	}
+
 	@Bean
 	@Scope("prototype")
-	MessageMatcherDelegatingAuthorizationManager.Builder messageAuthorizationManagerBuilder(
-			ApplicationContext context) {
-		MessageMatcherFactory.setApplicationContext(context);
-		if (MessageMatcherFactory.usesPathPatterns()) {
-			return MessageMatcherDelegatingAuthorizationManager.builder();
-		}
-		return MessageMatcherDelegatingAuthorizationManager.builder()
-			.simpDestPathMatcher(
-					() -> (context.getBeanNamesForType(SimpAnnotationMethodMessageHandler.class).length > 0)
-							? context.getBean(SimpAnnotationMethodMessageHandler.class).getPathMatcher()
-							: new AntPathMatcher());
+	MessageMatcherDelegatingAuthorizationManager.Builder messageAuthorizationManagerBuilder() {
+		return MessageMatcherDelegatingAuthorizationManager.builder();
 	}
 
 }

config/src/main/java/org/springframework/security/config/http/MessageMatcherFactoryBean.java

@@ -23,9 +23,6 @@
 import org.springframework.messaging.simp.SimpMessageType;
 import org.springframework.security.messaging.util.matcher.MessageMatcher;
 import org.springframework.security.messaging.util.matcher.PathPatternMessageMatcher;
-import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
-import org.springframework.util.AntPathMatcher;
-import org.springframework.util.PathMatcher;
 
 @Deprecated
 public final class MessageMatcherFactoryBean implements FactoryBean<MessageMatcher<?>>, ApplicationContextAware {
@@ -36,8 +33,6 @@ public final class MessageMatcherFactoryBean implements FactoryBean<MessageMatch
 
 	private final String path;
 
-	private PathMatcher pathMatcher = new AntPathMatcher();
-
 	public MessageMatcherFactoryBean(String path) {
 		this(path, null);
 	}
@@ -49,30 +44,17 @@ public MessageMatcherFactoryBean(String path, SimpMessageType method) {
 
 	@Override
 	public MessageMatcher<?> getObject() throws Exception {
-		if (this.builder != null) {
-			return this.builder.matcher(this.method, this.path);
-		}
-		if (this.method == SimpMessageType.SUBSCRIBE) {
-			return SimpDestinationMessageMatcher.createSubscribeMatcher(this.path, this.pathMatcher);
-		}
-		if (this.method == SimpMessageType.MESSAGE) {
-			return SimpDestinationMessageMatcher.createMessageMatcher(this.path, this.pathMatcher);
-		}
-		return new SimpDestinationMessageMatcher(this.path, this.pathMatcher);
+		return this.builder.matcher(this.method, this.path);
 	}
 
 	@Override
 	public Class<?> getObjectType() {
 		return null;
 	}
 
-	public void setPathMatcher(PathMatcher pathMatcher) {
-		this.pathMatcher = pathMatcher;
-	}
-
 	@Override
 	public void setApplicationContext(ApplicationContext context) throws BeansException {
-		this.builder = context.getBeanProvider(PathPatternMessageMatcher.Builder.class).getIfUnique();
+		this.builder = context.getBean(PathPatternMessageMatcher.Builder.class);
 	}
 
 }

config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java

@@ -31,9 +31,9 @@
 import org.springframework.beans.PropertyValue;
 import org.springframework.beans.factory.FactoryBean;
 import org.springframework.beans.factory.config.BeanDefinition;
-import org.springframework.beans.factory.config.BeanReference;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.beans.factory.config.RuntimeBeanReference;
+import org.springframework.beans.factory.parsing.BeanComponentDefinition;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.support.BeanDefinitionRegistry;
 import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor;
@@ -56,6 +56,7 @@
 import org.springframework.security.authorization.AuthorizationResult;
 import org.springframework.security.config.Elements;
 import org.springframework.security.config.http.MessageMatcherFactoryBean;
+import org.springframework.security.config.web.messaging.PathPatternMessageMatcherBuilderFactoryBean;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -134,7 +135,7 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 
 	private static final String TYPE_ATTR = "type";
 
-	private static final String PATH_MATCHER_BEAN_NAME = "springSecurityMessagePathMatcher";
+	private static final String MESSAGE_MATCHER_BUILDER_BEAN_NAME = "HttpConfigurationBuilder-pathPatternMessageMatcherBuilder";
 
 	/**
 	 * @param element
@@ -144,13 +145,17 @@ public final class WebSocketMessageBrokerSecurityBeanDefinitionParser implements
 	@Override
 	public BeanDefinition parse(Element element, ParserContext parserContext) {
 		String id = element.getAttribute(ID_ATTR);
+		if (!parserContext.getRegistry().containsBeanDefinition(MESSAGE_MATCHER_BUILDER_BEAN_NAME)) {
+			BeanDefinitionBuilder pathPatternMessageMatcherBuilder = BeanDefinitionBuilder
+				.rootBeanDefinition(PathPatternMessageMatcherBuilderFactoryBean.class);
+			pathPatternMessageMatcherBuilder.setFallback(true);
+			BeanDefinition bean = pathPatternMessageMatcherBuilder.getBeanDefinition();
+			parserContext.registerBeanComponent(new BeanComponentDefinition(bean, MESSAGE_MATCHER_BUILDER_BEAN_NAME));
+		}
 		String inSecurityInterceptorName = parseAuthorization(element, parserContext);
 		BeanDefinitionRegistry registry = parserContext.getRegistry();
 		if (StringUtils.hasText(id)) {
 			registry.registerAlias(inSecurityInterceptorName, id);
-			if (!registry.containsBeanDefinition(PATH_MATCHER_BEAN_NAME)) {
-				registry.registerBeanDefinition(PATH_MATCHER_BEAN_NAME, new RootBeanDefinition(AntPathMatcher.class));
-			}
 		}
 		else {
 			boolean sameOriginDisabled = Boolean.parseBoolean(element.getAttribute(DISABLED_ATTR));
@@ -286,7 +291,6 @@ private BeanDefinition createMatcher(String matcherPattern, String messageType,
 							+ " with a pattern because the type does not have a destination.", interceptMessage);
 			}
 		}
-		matcher.addPropertyValue("pathMatcher", new RuntimeBeanReference("springSecurityMessagePathMatcher"));
 		return matcher.getBeanDefinition();
 	}
 
@@ -342,13 +346,6 @@ public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry registry) t
 					}
 					argResolvers.add(beanDefinition);
 					bd.getPropertyValues().add(CUSTOM_ARG_RESOLVERS_PROP, argResolvers);
-					if (!registry.containsBeanDefinition(PATH_MATCHER_BEAN_NAME)) {
-						PropertyValue pathMatcherProp = bd.getPropertyValues().getPropertyValue("pathMatcher");
-						Object pathMatcher = (pathMatcherProp != null) ? pathMatcherProp.getValue() : null;
-						if (pathMatcher instanceof BeanReference) {
-							registry.registerAlias(((BeanReference) pathMatcher).getBeanName(), PATH_MATCHER_BEAN_NAME);
-						}
-					}
 				}
 				else if (CSRF_HANDSHAKE_HANDLER_CLASSES.contains(beanClassName)) {
 					addCsrfTokenHandshakeInterceptor(bd);
@@ -376,9 +373,6 @@ else if (CSRF_HANDSHAKE_HANDLER_CLASSES.contains(beanClassName)) {
 				interceptors.addAll(currentInterceptors);
 			}
 			inboundChannel.getPropertyValues().add(INTERCEPTORS_PROP, interceptors);
-			if (!registry.containsBeanDefinition(PATH_MATCHER_BEAN_NAME)) {
-				registry.registerBeanDefinition(PATH_MATCHER_BEAN_NAME, new RootBeanDefinition(AntPathMatcher.class));
-			}
 		}
 
 		private void addCsrfTokenHandshakeInterceptor(BeanDefinition bd) {

config/src/test/java/org/springframework/security/config/annotation/web/socket/WebSocketMessageBrokerSecurityConfigurationTests.java

@@ -45,6 +45,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
 import org.springframework.core.MethodParameter;
+import org.springframework.http.server.PathContainer;
 import org.springframework.http.server.ServerHttpRequest;
 import org.springframework.http.server.ServerHttpResponse;
 import org.springframework.messaging.Message;
@@ -70,6 +71,7 @@
 import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.observation.SecurityObservationSettings;
+import org.springframework.security.config.web.messaging.PathPatternMessageMatcherBuilderFactoryBean;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
@@ -99,6 +101,7 @@
 import org.springframework.web.socket.server.support.HttpSessionHandshakeInterceptor;
 import org.springframework.web.socket.sockjs.transport.handler.SockJsWebSocketHandler;
 import org.springframework.web.socket.sockjs.transport.session.WebSocketServerSockJsSession;
+import org.springframework.web.util.pattern.PathPatternParser;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -507,6 +510,13 @@ private void loadConfig(Class<?>... configs) {
 	@Import(SyncExecutorConfig.class)
 	static class MsmsRegistryCustomPatternMatcherConfig implements WebSocketMessageBrokerConfigurer {
 
+		@Bean
+		PathPatternMessageMatcherBuilderFactoryBean messageMatcherBuilder() {
+			PathPatternParser parser = new PathPatternParser();
+			parser.setPathOptions(PathContainer.Options.MESSAGE_ROUTE);
+			return new PathPatternMessageMatcherBuilderFactoryBean(parser);
+		}
+
 		// @formatter:off
 		@Override
 		public void registerStompEndpoints(StompEndpointRegistry registry) {
@@ -518,7 +528,6 @@ public void registerStompEndpoints(StompEndpointRegistry registry) {
 
 		@Override
 		public void configureMessageBroker(MessageBrokerRegistry registry) {
-			registry.setPathMatcher(new AntPathMatcher("."));
 			registry.enableSimpleBroker("/queue/", "/topic/");
 			registry.setApplicationDestinationPrefixes("/app");
 		}
@@ -567,7 +576,6 @@ public void configureMessageBroker(MessageBrokerRegistry registry) {
 		@Bean
 		AuthorizationManager<Message<?>> authorizationManager(MessageMatcherDelegatingAuthorizationManager.Builder messages) {
 			messages
-					.simpDestPathMatcher(new AntPathMatcher())
 					.simpDestMatchers("/app/a/*").permitAll()
 					.anyMessage().denyAll();
 			return messages.build();

messaging/src/main/java/org/springframework/security/messaging/access/expression/MessageExpressionConfigAttribute.java

@@ -23,7 +23,6 @@
 import org.springframework.messaging.Message;
 import org.springframework.security.access.ConfigAttribute;
 import org.springframework.security.messaging.util.matcher.MessageMatcher;
-import org.springframework.security.messaging.util.matcher.SimpDestinationMessageMatcher;
 import org.springframework.util.Assert;
 
 /**
@@ -42,7 +41,7 @@ class MessageExpressionConfigAttribute implements ConfigAttribute, EvaluationCon
 
 	private final Expression authorizeExpression;
 
-	private final MessageMatcher<?> matcher;
+	private final MessageMatcher<Object> matcher;
 
 	/**
 	 * Creates a new instance
@@ -53,7 +52,7 @@ class MessageExpressionConfigAttribute implements ConfigAttribute, EvaluationCon
 		Assert.notNull(authorizeExpression, "authorizeExpression cannot be null");
 		Assert.notNull(matcher, "matcher cannot be null");
 		this.authorizeExpression = authorizeExpression;
-		this.matcher = matcher;
+		this.matcher = (MessageMatcher<Object>) matcher;
 	}
 
 	Expression getAuthorizeExpression() {
@@ -72,12 +71,9 @@ public String toString() {
 
 	@Override
 	public EvaluationContext postProcess(EvaluationContext ctx, Message<?> message) {
-		if (this.matcher instanceof SimpDestinationMessageMatcher) {
-			Map<String, String> variables = ((SimpDestinationMessageMatcher) this.matcher)
-				.extractPathVariables(message);
-			for (Map.Entry<String, String> entry : variables.entrySet()) {
-				ctx.setVariable(entry.getKey(), entry.getValue());
-			}
+		Map<String, String> variables = this.matcher.matcher(message).getVariables();
+		for (Map.Entry<String, String> entry : variables.entrySet()) {
+			ctx.setVariable(entry.getKey(), entry.getValue());
 		}
 		return ctx;
 	}