Expected Behavior
When we configure MessageMatcherDelegatingAuthorizationManager it should be possible to provide an instance of a class that supports expression-based authorization to the method org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager.Builder.Constraint.access(AuthorizationManager<MessageAuthorizationContext<?>>)
In non-websocket world this is supported by org.springframework.security.web.access.expression.WebExpressionAuthorizationManager.WebExpressionAuthorizationManager(String)
Current Behavior
WebSocket class that seems to be facilitating the same task (org.springframework.security.config.websocket.WebSocketMessageBrokerSecurityBeanDefinitionParser.ExpressionBasedAuthorizationManager) is private and looks to be used for XML config only
Context
Spring Security 5.8.1.
The issue is affecting us during migration from older Spring Security which supported expression-based access control via the method org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry.Constraint.access(String)
Expected Behavior When we configure
MessageMatcherDelegatingAuthorizationManager
it should be possible to provide an instance of a class that supports expression-based authorization to the methodorg.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager.Builder.Constraint.access(AuthorizationManager<MessageAuthorizationContext<?>>)
In non-websocket world this is supported by
org.springframework.security.web.access.expression.WebExpressionAuthorizationManager.WebExpressionAuthorizationManager(String)
Current Behavior WebSocket class that seems to be facilitating the same task (
org.springframework.security.config.websocket.WebSocketMessageBrokerSecurityBeanDefinitionParser.ExpressionBasedAuthorizationManager
) is private and looks to be used for XML config onlyContext Spring Security 5.8.1. The issue is affecting us during migration from older Spring Security which supported expression-based access control via the method
org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry.Constraint.access(String)