Spring Disable SpEL selector support in WebSocket messaging by default

Overview

In an effort to reduce the potential for security vulnerabilities in SpEL to adversely affect Spring applications, the team has decided to disable support for evaluating SpEL expressions from untrusted sources by default.

Within the core Spring Framework, this applies to the SpEL-based selector header support in WebSocket messaging, specifically in the DefaultSubscriptionRegistry.

The selector header support will remain in place but will have to be explicitly enabled beginning with Spring Framework 6.1.

We will also investigate alternative approaches to the selector header feature that do not involve SpEL, and we may later decide to deprecate the SpEL-based selector header support in favor of such an alternative.

Deliverables

• [x] Disable SpEL selector support in DefaultSubscriptionRegistry by default.

Comment From: Vishal1297

Hi @sbrannen,

Can you elaborate this issue?

Comment From: sbrannen

@Vishal1297, yes, I will of course add a detailed description of this issue within the coming days. I initially created it as a placeholder for tracking purposes.