Summary

I want to authorize topic subscription by topic name. .simpSubscribeDestMatchers("/topic/list/{location}/**") .access("@webSecurity.checkLocation(authentication,#location)")

Actual Behavior

My location parameter is not passed to webSecurity.checkLocation(). The method is called, but the parameter is null.

Expected Behavior

Correct, non-null, location parameter passed to webSecurity.checkLocation() method. According to the documentation this is possible for antMatchers
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#el-access-web-path-variables

Please suggest workarounds if exist.

Configuration

@Configuration
public class WebSocketSecurityConfig extends AbstractSecurityWebSocketMessageBrokerConfigurer {

    @Override
    protected boolean sameOriginDisabled() {
        return true;
    }

    @Override
    protected void configureInbound(MessageSecurityMetadataSourceRegistry messages) {
        messages //
                .nullDestMatcher().authenticated() //
                .simpDestMatchers("/app/**").authenticated() //
                .simpSubscribeDestMatchers("/topic/list/{location}/**")
                      .access("@webSecurity.checkLocation(authentication,#location)") //
                .anyMessage().denyAll();
    }
}

Version

compile group: 'org.springframework.security.oauth', name: 'spring-security-oauth2', version: '2.1.1.RELEASE'

compile group: 'org.springframework.security', name: 'spring-security-messaging', version: '4.2.3.RELEASE'

Sample