Affects Version/s: None
The Spring documentation to register a custom websocket authentication interceptor has an inaccuracy. For custom OAuth authentication ( or any custom authentication ), the sample code indicates a security Principal should be set on the StompHeaderAccessor. However, the downstream Spring Security code expects the object set on the StompHeaderAccessor to be of type Authentication rather than Principal. ( Note, Authentication is a sub-interface of Principal. )
26.4.11 Token-based Authentication
Code example from documentation:
Current Spring Security Code:
See Line 125
When setting an object of type Principal, the check fails and the security context is set to an anonymous user.