Merge branch '6.3.x' into 6.4.x

Closes gh-17494

Author: jzheaux

config/src/main/java/org/springframework/security/config/websocket/WebSocketMessageBrokerSecurityBeanDefinitionParser.java

@@ -301,6 +301,8 @@ static class MessageSecurityPostProcessor implements BeanDefinitionRegistryPostP
 
 		private static final String CLIENT_INBOUND_CHANNEL_BEAN_ID = "clientInboundChannel";
 
+		private static final String CSRF_CHANNEL_INTERCEPTOR_BEAN_ID = "csrfChannelInterceptor";
+
 		private static final String INTERCEPTORS_PROP = "interceptors";
 
 		private static final String CUSTOM_ARG_RESOLVERS_PROP = "customArgumentResolvers";
@@ -364,7 +366,12 @@ else if ("org.springframework.web.socket.sockjs.transport.handler.DefaultSockJsS
 			ManagedList<Object> interceptors = new ManagedList();
 			interceptors.add(new RootBeanDefinition(SecurityContextChannelInterceptor.class));
 			if (!this.sameOriginDisabled) {
-				interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
+				if (!registry.containsBeanDefinition(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID)) {
+					interceptors.add(new RootBeanDefinition(CsrfChannelInterceptor.class));
+				}
+				else {
+					interceptors.add(new RuntimeBeanReference(CSRF_CHANNEL_INTERCEPTOR_BEAN_ID));
+				}
 			}
 			interceptors.add(registry.getBeanDefinition(this.inboundSecurityInterceptorId));
 			BeanDefinition inboundChannel = registry.getBeanDefinition(CLIENT_INBOUND_CHANNEL_BEAN_ID);

config/src/test/java/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests.java

@@ -48,6 +48,7 @@
 import org.springframework.messaging.simp.SimpMessageHeaderAccessor;
 import org.springframework.messaging.simp.SimpMessageType;
 import org.springframework.messaging.support.ChannelInterceptor;
+import org.springframework.messaging.support.ExecutorSubscribableChannel;
 import org.springframework.messaging.support.GenericMessage;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.expression.SecurityExpressionOperations;
@@ -521,6 +522,16 @@ public void sendWhenCustomAuthorizationManagerThenAuthorizesAccordingly() {
 		verify(authorizationManager).check(any(), any());
 	}
 
+	@Test
+	public void configureWhenCsrfChannelInterceptorBeanThenUses() {
+		this.spring.configLocations(xml("CustomCsrfInterceptor")).autowire();
+		ExecutorSubscribableChannel channel = this.spring.getContext()
+			.getBean("clientInboundChannel", ExecutorSubscribableChannel.class);
+		ChannelInterceptor interceptor = this.spring.getContext()
+			.getBean("csrfChannelInterceptor", ChannelInterceptor.class);
+		assertThat(channel.getInterceptors()).contains(interceptor);
+	}
+
 	private String xml(String configName) {
 		return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
 	}

config/src/test/resources/org/springframework/security/config/websocket/WebSocketMessageBrokerConfigTests-CustomCsrfInterceptor.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xmlns="http://www.springframework.org/schema/security"
+		 xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<b:import resource="classpath:org/springframework/security/config/websocket/controllers.xml"/>
+	<b:import resource="classpath:org/springframework/security/config/websocket/websocket.xml"/>
+
+	<b:bean id="csrfChannelInterceptor" class="org.mockito.Mockito" factory-method="mock">
+		<b:constructor-arg value="org.springframework.messaging.support.ChannelInterceptor"  type="java.lang.Class"/>
+	</b:bean>
+
+	<websocket-message-broker use-authorization-manager="false">
+		<intercept-message pattern="/**" access="denyNile()"/>
+	</websocket-message-broker>
+
+</b:beans>