Wrong order of ChannelInterceptors?

[markusheiden]

Describe the issue
I am using AbstractSecurityWebSocketMessageBrokerConfigurer with Spring Cloud Bus. The order of the ChannelInterceptors defined in the configurer leads to problems when not authenticated. Because ChannelSecurityInterceptor is added before SecurityContextChannelInterceptor, ChannelSecurityInterceptor has no security context when there is not already an authentication.

StreamBridge adds the ChannelInterceptors in the order it gets them from the application context which is CsrfChannelInterceptor, ChannelSecurityInterceptor, SecurityContextChannelInterceptor.

To Reproduce
Steps to reproduce the behavior:

1. Use Spring Cloud Bus with spring-security-config AbstractSecurityWebSocketMessageBrokerConfigurer with inbound constraints. messages.anyMessage().permitAll() is sufficient.
2. Incoming events lead to "AbstractSecurityInterceptor.authenticationNotFound" due to a missing security context.
   Version of the framework
   3.1.1.
   Expected behavior
   An anonymous security context will be used and no failures.

Additional context
I manually changed the order of the ChannelInterceptors to CsrfChannelInterceptor, SecurityContextChannelInterceptor, ChannelSecurityInterceptor and it worked fine.

[spencergibb]

@markusheiden or @olegz can you explain why this was moved here and what the expected fix would be?

[markusheiden]

Sorry, but I don't know which Spring project is the root cause of the problem. My point: I am not able to use the bus together with Spring Security without manual fixes. Maybe I did setup something incorrectly, but I found no documentation about that.

[spencergibb]

@olegz can you comment?