StompSubProtocolHandler should send SessionSubscribeEvent after ChannelSecurityInterceptor has validated access rights [SPR-13339]

[spring-projects-issues]

pascal gehl opened SPR-13339 and commented

Only "Platinium" user of my application can subscribe to a dedicated /topic/platinum topic.
Every time an authorized user subscribes I want to run some code. For this I implemented ApplicationListener< SessionSubscribeEvent >.

Unauthorized users should receive the equivalent of 403 Unauthorized response.

Unfortunately my ApplicationListener< SessionSubscribeEvent > is called wether the user is authorized or not and I could not find where to hook some code after ChannelSecurityInterceptor has been executed.

@SubscribeMapping only works for /app/platinum but I really want to execute some code when user subscribes to /topic/platinum.

---

Affects: 4.1.7

Referenced from: commits 27899ab

[spring-projects-issues]

Rossen Stoyanchev commented

Yes currently the event is fired before sending the message on the channel. Since the channel returns a boolean value, we can move the events after checking that boolean flag.

[spring-projects-issues]

pascal gehl commented

It's actually applicable on all events sent by StompSubProtocolHandler because access control can also be applied to CONNECT and other message types.

[spring-projects-issues]

Rossen Stoyanchev commented

We can certainly move all events after. It wouldn't hurt but i"m wondering when would CONNECT be rejected? I.e. what would access control applied to CONNECT mean? Authentication is covered when the endpoint is established and if you're successfully in you should be able to connect to the broker before we start authorizing what else you can/cannot do.