Websockets - CSRF with Spring Boot and STOMP

Question

How is CSRF over WebSockets expected to work? I am sending a CSRF Token as STOMP header on the Connect but the org.springframework.security.messaging.web.csrf.CsrfChannelInterceptor does not seem to find it. I tried to dig into the sources and I seem to understand that the CSRF Token is expected to be supplied with the initial websocket HTTP Handshake and is then stored inside some sort of session or repository where it is taken out. The job seems to be done by org.springframework.security.messaging.web.socket.server.CsrfTokenHandshakeInterceptor.

But - my HTTP Handshake does not supply any CSRF token - Its the same as with any other Header like Authorization - I cant supply any custom header together with the initial Handshake! Sending it as _csrf Query Parameter doesn't help either. It's a GET request and doesn't require CSRF per default anyway.

How is CSRF supposed to work with Websocket STOMP over HTTP?

Inside CsrfTokenHandshakeInterceptor whike processing

Answer 1

There is already an issue open for spring-security which adresses it. There is also a workaround supplied in that issue https://github.com/spring-projects/spring-security/issues/12378

My code example with the workaround can be found here: https://github.com/OlliL/spring-boot-stomp

It could also serve as an example implementation for JWT + CSRF with STOMP Websockets maybe (I am no expert ;))