I have a spring-boot websocket connection which sits behind spring-security-kerberos to achieve SSO. This works as expected but if I restart the server I see clients fail to re-connect with the error Error during WebSocket handshake: Incorrect 'Sec-WebSocket-Accept' header value.
I am using @stomp/stompjs 4.0.8 and setting stompClient.reconnect_delay = 5000
Is there any way to solve this? I am concerned that running this behind a load balancer would cause this error to occur all the time.
This is based on the messaging-stomp-websocket example + spring-security websocket-authentication
It appears that spring-security-web RequestCacheAwareFilter extracts a cached request which results in the actual Sec-WebSocket-Key header value being replaced with an invalid one.
The sequence of events is that each time the client attempts a re-connect the client makes two websocket requests, the first is rejected with a WWW-Authenticate: Negotiate header and the second which contains a Authorization header has a different Sec-WebSocket-Key value.
I was able to resolve this by disabling caching completely, e.g. within a WebSecurityConfigurerAdapter
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.requestCache().requestCache(new NullRequestCache())
}