Programmatic way to use expression-based authorization manager for websockets

[lrozenblyum]

Expected Behavior When we configure MessageMatcherDelegatingAuthorizationManager it should be possible to provide an instance of a class that supports expression-based authorization to the method org.springframework.security.messaging.access.intercept.MessageMatcherDelegatingAuthorizationManager.Builder.Constraint.access(AuthorizationManager<MessageAuthorizationContext<?>>)

In non-websocket world this is supported by org.springframework.security.web.access.expression.WebExpressionAuthorizationManager.WebExpressionAuthorizationManager(String)

Current Behavior WebSocket class that seems to be facilitating the same task (org.springframework.security.config.websocket.WebSocketMessageBrokerSecurityBeanDefinitionParser.ExpressionBasedAuthorizationManager) is private and looks to be used for XML config only

Context Spring Security 5.8.1. The issue is affecting us during migration from older Spring Security which supported expression-based access control via the method org.springframework.security.config.annotation.web.messaging.MessageSecurityMetadataSourceRegistry.Constraint.access(String)

[i-filaliawb]

same problem with us.

can not find any way to use expression-based access control for destination.