Default to XorCsrfChannelInterceptor in 6.0.x

Closes gh-12378

Author: Steve Riesenberg

config/src/main/java/org/springframework/security/config/annotation/web/socket/WebSocketMessageBrokerSecurityConfiguration.java

@@ -41,7 +41,7 @@
 import org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager;
 import org.springframework.security.messaging.context.AuthenticationPrincipalArgumentResolver;
 import org.springframework.security.messaging.context.SecurityContextChannelInterceptor;
-import org.springframework.security.messaging.web.csrf.CsrfChannelInterceptor;
+import org.springframework.security.messaging.web.csrf.XorCsrfChannelInterceptor;
 import org.springframework.security.messaging.web.socket.server.CsrfTokenHandshakeInterceptor;
 import org.springframework.util.Assert;
 import org.springframework.web.servlet.handler.SimpleUrlHandlerMapping;
@@ -71,7 +71,7 @@ final class WebSocketMessageBrokerSecurityConfiguration
 
 	private final SecurityContextChannelInterceptor securityContextChannelInterceptor = new SecurityContextChannelInterceptor();
 
-	private ChannelInterceptor csrfChannelInterceptor = new CsrfChannelInterceptor();
+	private ChannelInterceptor csrfChannelInterceptor = new XorCsrfChannelInterceptor();
 
 	private AuthorizationManager<Message<?>> authorizationManager = ANY_MESSAGE_AUTHENTICATED;
 

config/src/test/java/org/springframework/security/config/annotation/web/socket/WebSocketMessageBrokerSecurityConfigurationTests.java

@@ -66,7 +66,7 @@
 import org.springframework.security.messaging.access.intercept.MessageAuthorizationContext;
 import org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager;
 import org.springframework.security.messaging.context.SecurityContextChannelInterceptor;
-import org.springframework.security.messaging.web.csrf.CsrfChannelInterceptor;
+import org.springframework.security.messaging.web.csrf.XorCsrfChannelInterceptor;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.security.web.csrf.DeferredCsrfToken;
@@ -96,6 +96,8 @@
 
 public class WebSocketMessageBrokerSecurityConfigurationTests {
 
+	private static final String XOR_CSRF_TOKEN_VALUE = "wpe7zB62-NCpcA==";
+
 	AnnotationConfigWebApplicationContext context;
 
 	Authentication messageUser;
@@ -198,7 +200,7 @@ public void csrfProtectionDefinedByBean() {
 		MessageChannel messageChannel = clientInboundChannel();
 		Stream<Class<? extends ChannelInterceptor>> interceptors = ((AbstractMessageChannel) messageChannel)
 				.getInterceptors().stream().map(ChannelInterceptor::getClass);
-		assertThat(interceptors).contains(CsrfChannelInterceptor.class);
+		assertThat(interceptors).contains(XorCsrfChannelInterceptor.class);
 	}
 
 	@Test
@@ -238,7 +240,7 @@ public void messagesConnectWebSocketUseCsrfTokenHandshakeInterceptor() throws Ex
 	public void messagesContextWebSocketUseSecurityContextHolderStrategy() {
 		loadConfig(WebSocketSecurityConfig.class, SecurityContextChangedListenerConfig.class);
 		SimpMessageHeaderAccessor headers = SimpMessageHeaderAccessor.create(SimpMessageType.CONNECT);
-		headers.setNativeHeader(this.token.getHeaderName(), this.token.getToken());
+		headers.setNativeHeader(this.token.getHeaderName(), XOR_CSRF_TOKEN_VALUE);
 		Message<?> message = message(headers, "/authenticated");
 		headers.getSessionAttributes().put(CsrfToken.class.getName(), this.token);
 		MessageChannel messageChannel = clientInboundChannel();