Check the user of a SockJS request

Issue: SPR-12497
11 years ago · dc5b5ca8ee
2 changed files with 34 additions and 0 deletions
--- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java
+++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java
@ -17,6 +17,8 @@
				@@ -17,6 +17,8 @@
 package org.springframework.web.socket.sockjs.transport;

 import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@ -245,6 +247,15 @@ public class TransportHandlingSockJsService extends AbstractSockJsService implem
				@@ -245,6 +247,15 @@ public class TransportHandlingSockJsService extends AbstractSockJsService implem
 					return;
 				}
 			}
+			else {
+				if (session.getPrincipal() != null) {
+					if (!session.getPrincipal().equals(request.getPrincipal())) {
+						logger.debug("The user for the session does not match the user for the request.");
+						response.setStatusCode(HttpStatus.NOT_FOUND);
+						return;
+					}
+				}
+			}

 			if (transportType.sendsNoCacheInstruction()) {
 				addNoCacheHeaders(response);
--- a/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java
+++ b/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java
@ -29,6 +29,7 @@ import org.mockito.MockitoAnnotations;
				@@ -29,6 +29,7 @@ import org.mockito.MockitoAnnotations;
 import org.springframework.scheduling.TaskScheduler;
 import org.springframework.web.socket.AbstractHttpRequestTests;
 import org.springframework.web.socket.WebSocketHandler;
+import org.springframework.web.socket.handler.TestPrincipal;
 import org.springframework.web.socket.server.HandshakeHandler;
 import org.springframework.web.socket.server.support.OriginHandshakeInterceptor;
 import org.springframework.web.socket.sockjs.transport.SockJsSessionFactory;
@ -243,6 +244,28 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
				@@ -243,6 +244,28 @@ public class DefaultSockJsServiceTests extends AbstractHttpRequestTests {
 		verify(this.xhrSendHandler).handleRequest(this.request, this.response, this.wsHandler, this.session);
 	}

+	@Test
+	public void handleTransportRequestXhrSendWithDifferentUser() throws Exception {
+		String sockJsPath = sessionUrlPrefix + "xhr";
+		setRequest("POST", sockJsPrefix + sockJsPath);
+		this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
+
+		assertEquals(200, this.servletResponse.getStatus()); // session created
+		verify(this.xhrHandler).handleRequest(this.request, this.response, this.wsHandler, this.session);
+
+		this.session.setPrincipal(new TestPrincipal("little red riding hood"));
+		this.servletRequest.setUserPrincipal(new TestPrincipal("wolf"));
+
+		resetResponse();
+		reset(this.xhrSendHandler);
+		sockJsPath = sessionUrlPrefix + "xhr_send";
+		setRequest("POST", sockJsPrefix + sockJsPath);
+		this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
+
+		assertEquals(404, this.servletResponse.getStatus());
+		verifyNoMoreInteractions(this.xhrSendHandler);
+	}
+
 	@Test
 	 public void handleTransportRequestJsonp() throws Exception {
 		TransportHandlingSockJsService jsonpService = new TransportHandlingSockJsService(this.taskScheduler, this.jsonpHandler, this.jsonpSendHandler);