Skip to content

SEC-3140: A user with an expired session can send messages throught websocket #3340

New issue
New issue
Open
Open
SEC-3140: A user with an expired session can send messages throught websocket#3340
Labels
in: messagingAn issue in spring-security-messagingtype: bugA general bugtype: jiraAn issue that was migrated from JIRA
@spring-projects-issues

Description

@spring-projects-issues
spring-projects-issues
opened on Oct 31, 2015

Danilkovich Denis (Migrated from SEC-3140) said:

In my application I have an websocket-based chat. And only authenticated users cat post messages. My spring-security config is below

<s:websocket-message-broker same-origin-disabled="true">
        <s:intercept-message type="MESSAGE" pattern="/app/chat.message" access="(hasRole('ROLE_USER') and !hasRole('ROLE_BLOCK_CHAT_POSTER'))" />
    </s:websocket-message-broker>

and when in my admin consloe I make user session expired:

public void logOutManuallyUser(String username){
  for(Object principal: sessionRegistry.getAllPrincipals()) {

    User user = (User)principal;
    if (user.getUsername().toUpperCase().equals(username.toUpperCase())){               
      for(SessionInformation session : sessionRegistry.getAllSessions(principal, false)) {
        session.expireNow();
        break;
      }
    }
  }
}

user can send any messages througth websocket.

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: messagingAn issue in spring-security-messagingtype: bugA general bugtype: jiraAn issue that was migrated from JIRA

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions