SEC-3036: Allow using Spring Security's WebSocket XML Configuration with Spring MVC Java Configuration

[spring-projects-issues]

Juan David Ortiz (Migrated from SEC-3036) said:

This is the relevant part of the stacktrace I'm getting after upgrading to Spring Security 4.0.1 and trying to use the new Websocket Security feature:

Caused by: java.lang.NullPointerException: null
at org.springframework.security.config.websocket.WebSocketMessageBrokerSecurityBeanDefinitionParser$MessageSecurityPostProcessor.postProcessBeanDefinitionRegistry(WebSocketMessageBrokerSecurityBeanDefinitionParser.java:233) ~[spring-security-config-4.0.1.RELEASE.jar:4.0.1.RELEASE]

This won't allow the application context to start.

I don't know if a BeanDefinition object can return null for its getBeanClassName method and still be valid. If yes, a null check is needed to ignore those beans and continue with the processing of the relevant ones.

Please verify and thanks in advance.

[spring-projects-issues]

Rob Winch said:

Thank you for the report. It appears the security configuration is XML based. Are you using Java Based Configuration for Spring's WebSocket support?

[spring-projects-issues]

Juan David Ortiz said:

You are welcome.

Yes, you are right. Most of the app configuration is java based, including Spring's WebSocket support. Only the Spring's Security/Oauth part of configuration is XML. The specific bean causing the NPE is unrelated to WebSocket though, and is defined on a Java configuration file like this:

    @Bean
    public AmazonS3Client s3Client(AWSCredentials credentials) {
        return new AmazonS3Client(credentials);
    }

[spring-projects-issues]

Rob Winch said:

Thanks this does provide insight to me.

Unfortunately, if you are using Spring's Java Configuration for WebSocket support you must use Java Configuration for the WebSocket support. This is indeed something that should be fixed, but perhaps this information may help you move along.

It should be noted that you should be able to safely use Spring Security's XML configuration for HTTP security and use Spring Security's Java Configuration for WebSocket.

Another alternative is to add an id and manually add

• org.springframework.security.messaging.context.SecurityContextChannelInterceptor
• org.springframework.security.messaging.web.socket.server.CsrfTokenHandshakeInterceptor
• The bean referred to in your configuration (i.e. "inCsi") as an interceptor

<websocket-message-broker id="inCsi">
  <intercept-message pattern="/**" access="denyAll" />
</websocket-message-broker>

I will look into if it is possible to support mixing XML and Java configuration for WebSockets.

[spring-projects-issues]

Juan David Ortiz said:

Moving the configuration to Java solved the issue for me, thank you very much for the insight!

[spring-projects-issues]

Rob Winch said:

No problem. Glad I could be of help.

Since this will likely take quite a bit of coordination with the core Spring Team, I'm moving this to the Backlog for now.

Thanks again for reporting the issue!