From cd67010518675a67c15d8e3cd5245e43e3f16835 Mon Sep 17 00:00:00 2001 From: rstoyanchev Date: Wed, 5 Nov 2025 10:12:00 +0000 Subject: [PATCH] Update Principal check in TransportHandlingSockJsService Closes gh-35753 --- .../transport/TransportHandlingSockJsService.java | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java index 70fb9e81d2b..0c98eeb1525 100644 --- a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java +++ b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java @@ -303,10 +303,15 @@ public class TransportHandlingSockJsService extends AbstractSockJsService implem } else { Principal principal = session.getPrincipal(); - if (principal != null && !principal.equals(request.getPrincipal())) { - logger.debug("The user for the session does not match the user for the request."); - response.setStatusCode(HttpStatus.NOT_FOUND); - return; + if (principal != null) { + // Compare usernames, not full equality (different login timestamps) + Principal currentPrincipal = request.getPrincipal(); + if (!principal.equals(currentPrincipal) && + (currentPrincipal == null || !principal.getName().equals(currentPrincipal.getName()))) { + logger.debug("The user for the session does not match the user for the request."); + response.setStatusCode(HttpStatus.NOT_FOUND); + return; + } } if (!transportHandler.checkSessionType(session)) { logger.debug("Session type does not match the transport type for the request.");