Check the user of a SockJS request

rstoyanchev · rstoyanchev · commit ac5c361688fb · 2014-12-08T11:22:45.000-05:00
Issue: SPR-12497
(backport of commit dc5b5c)
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java
@@ -242,6 +242,15 @@ else if (transportType.supportsCors()) {
 					return;
 				}
 			}
+			else {
+				if (session.getPrincipal() != null) {
+					if (!session.getPrincipal().equals(request.getPrincipal())) {
+						logger.debug("The user for the session does not match the user for the request.");
+						response.setStatusCode(HttpStatus.NOT_FOUND);
+						return;
+					}
+				}
+			}
 
 			if (transportType.sendsNoCacheInstruction()) {
 				addNoCacheHeaders(response);
diff --git a/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java b/spring-websocket/src/test/java/org/springframework/web/socket/sockjs/transport/handler/DefaultSockJsServiceTests.java
@@ -27,6 +27,7 @@
 import org.springframework.scheduling.TaskScheduler;
 import org.springframework.web.socket.AbstractHttpRequestTests;
 import org.springframework.web.socket.WebSocketHandler;
+import org.springframework.web.socket.handler.TestPrincipal;
 import org.springframework.web.socket.sockjs.transport.SockJsSessionFactory;
 import org.springframework.web.socket.sockjs.transport.TransportHandler;
 import org.springframework.web.socket.sockjs.transport.TransportHandlingSockJsService;
@@ -178,6 +179,28 @@ public void handleTransportRequestXhrSend() throws Exception {
 		verify(this.xhrSendHandler).handleRequest(this.request, this.response, this.wsHandler, this.session);
 	}
 
+	@Test
+	public void handleTransportRequestXhrSendWithDifferentUser() throws Exception {
+		String sockJsPath = sessionUrlPrefix + "xhr";
+		setRequest("POST", sockJsPrefix + sockJsPath);
+		this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
+
+		assertEquals(200, this.servletResponse.getStatus()); // session created
+		verify(this.xhrHandler).handleRequest(this.request, this.response, this.wsHandler, this.session);
+
+		this.session.setPrincipal(new TestPrincipal("little red riding hood"));
+		this.servletRequest.setUserPrincipal(new TestPrincipal("wolf"));
+
+		resetResponse();
+		reset(this.xhrSendHandler);
+		sockJsPath = sessionUrlPrefix + "xhr_send";
+		setRequest("POST", sockJsPrefix + sockJsPath);
+		this.service.handleRequest(this.request, this.response, sockJsPath, this.wsHandler);
+
+		assertEquals(404, this.servletResponse.getStatus());
+		verifyNoMoreInteractions(this.xhrSendHandler);
+	}
+
 
 	interface SessionCreatingTransportHandler extends TransportHandler, SockJsSessionFactory {
 	}
