Error during WebSocket handshake: Incorrect 'Sec-WebSocket-Accept' header value

Question

I have a spring-boot websocket connection which sits behind spring-security-kerberos to achieve SSO. This works as expected but if I restart the server I see clients fail to re-connect with the error Error during WebSocket handshake: Incorrect 'Sec-WebSocket-Accept' header value.

I am using @stomp/stompjs 4.0.8 and setting stompClient.reconnect_delay = 5000

Is there any way to solve this? I am concerned that running this behind a load balancer would cause this error to occur all the time.

This is based on the messaging-stomp-websocket example + spring-security websocket-authentication

don't have an answer for you but I'm having a similar problem which _seems_ to disappear when I remove the reconnect attempts entirely. — martin jakubik, Sep 24 '18 at 14:34
Well the problem goes away in the sense that stompjs doesn't attempt to re-connect so doesn't use a stale header... Are you suggesting doing the re-connect manually? — Jon Freedman, Sep 24 '18 at 15:09

score 2 · Accepted Answer · answered Dec 06 '18 at 09:36

It appears that spring-security-web RequestCacheAwareFilter extracts a cached request which results in the actual Sec-WebSocket-Key header value being replaced with an invalid one.

The sequence of events is that each time the client attempts a re-connect the client makes two websocket requests, the first is rejected with a WWW-Authenticate: Negotiate header and the second which contains a Authorization header has a different Sec-WebSocket-Key value.

I was able to resolve this by disabling caching completely, e.g. within a WebSecurityConfigurerAdapter

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http.requestCache().requestCache(new NullRequestCache())
}

Error during WebSocket handshake: Incorrect 'Sec-WebSocket-Accept' header value

1 Answers1