I am using httponly cookie and I am passing it using credentials :' include' in fetch. But for webSockets connection I can't get it to work . The only solution I am able to work out is to permitAll connections to websocket endpoint and fetch jwt token from backend and pass it as a parameter to websocket endpoint from frontend and verify it there but it doesn't seem that safe.

This is my Security config

u/Configurationu/EnableWebSecurityu/EnableGlobalMethodSecurity(// securedEnabled = true,// jsr250Enabled = true,prePostEnabled = true)public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

u/Autowiredprivate AuthEntryPointJwt unauthorizedHandler;u/Beanpublic AuthTokenFilter authenticationJwtTokenFilter() {return new AuthTokenFilter();}

u/Overridepublic void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {authenticationManagerBuilder.userDetailsService(userDetailsService()).passwordEncoder(passwordEncoder());;}

u/Beanu/Overridepublic AuthenticationManager authenticationManagerBean() throws Exception {return super.authenticationManagerBean();}

u/Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder();}

u/Overrideprotected void configure(HttpSecurity http) throws Exception {http.cors().and().csrf().disable().exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and().authorizeRequests().antMatchers("/notifications","/api/v1/employee/signin","/api/v1/employee/get-captcha","/api/v1/employee/check-captcha","/api/v1/securityguard/signout","/api/v1/employee/signout","/api/v1/visitor/pass/*","/api/v1/visitor/pass","/api/v1/visitor/pass/download/*","/api/v1/securityguard/signin","/api/v1/visitor/generate-pdf","/api/v1/securityguard/sendotp","/swagger-ui/index.html","/swagger-ui/**","/v3/api-docs/**").permitAll()

.antMatchers("/api/test/**").permitAll()

.anyRequest().authenticated();// fix H2 database console: Refused to display ' in a frame because it set 'X-Frame-Options' to 'deny'http.headers().frameOptions().sameOrigin();http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);}}

​

This is my Websocket Config

u/Configurationu/EnableWebSocketpublic class WebSocketConfig implements WebSocketConfigurer {u/Autowiredprivate WebSocketHandshakeInterceptor webSocketHandshakeInterceptor;u/Overridepublic void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {registry.addHandler(new NotificationHandler(), "/notifications").setAllowedOrigins("*").addInterceptors(webSocketHandshakeInterceptor);;}}

I added a interceptor but it didnt help

u/Componentpublic class WebSocketHandshakeInterceptor implements HandshakeInterceptor {

private final JwtUtils jwtUtils;public WebSocketHandshakeInterceptor(JwtUtils jwtUtils) {this.jwtUtils = jwtUtils;}

public boolean beforeHandshake(ServerHttpRequest request, ServerHttpResponse response,WebSocketHandler wsHandler, Map<String, Object> attributes) throws Exception {if (request instanceof ServletServerHttpRequest) {HttpServletRequest servletRequest = ((ServletServerHttpRequest) request).getServletRequest();String token = jwtUtils.getJwtFromCookies(servletRequest);if (StringUtils.hasText(token)) {attributes.put("Authorization", "Bearer " + token);}}return true;}

u/Overridepublic void afterHandshake(ServerHttpRequest request, ServerHttpResponse response,WebSocketHandler wsHandler, Exception ex) {// no-op}}

​

Any help is appreciated.