Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fix role checking when using websocket push (#20679) (CP: 24.4) #20711

Merged
merged 1 commit into from
Dec 16, 2024

Conversation

mcollovati
Copy link
Collaborator

When using PUSH with websocket transport, the atmosphere wrapped request can be a no-op implementation whose isUserInRole method alwasy returns false, causing, for example, wrong access checking during navigation. This change falls back to Spring Securty for role checking when PUSH transport is websocket.
It also fixes some tests in order to propagate the Spring Security context when starting Thread that perform UI operations.

References psi#123
Part of #11026

Copy link

github-actions bot commented Dec 13, 2024

Test Results

1 120 files  ± 0  1 120 suites  ±0   1h 22m 3s ⏱️ + 1m 26s
7 126 tests + 1  7 076 ✅ + 1  50 💤 ±0  0 ❌ ±0 
7 500 runs  +30  7 438 ✅ +30  62 💤 ±0  0 ❌ ±0 

Results for commit ddfa37f. ± Comparison against base commit 500e859.

♻️ This comment has been updated with latest results.

When using PUSH with websocket transport, the atmosphere wrapped request
can be a no-op implementation whose isUserInRole method alwasy returns
false, causing, for example, wrong access checking during navigation.
This change falls back to Spring Securty for role checking when PUSH
transport is websocket.
It also fixes some tests in order to propagate the Spring Security context
when starting Thread that perform UI operations.

References psi#123
Part of #11026
@mcollovati mcollovati force-pushed the cherry/cherrypick-20679-to-24.4 branch from 6053ccd to ddfa37f Compare December 16, 2024 07:27
@mcollovati mcollovati merged commit 0112560 into 24.4 Dec 16, 2024
25 of 26 checks passed
@mcollovati mcollovati deleted the cherry/cherrypick-20679-to-24.4 branch December 16, 2024 07:47
@vaadin-bot
Copy link
Collaborator

This ticket/PR has been released with Vaadin 24.4.21.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants