Update Principal check in TransportHandlingSockJsService

rstoyanchev · rstoyanchev · commit cd6701051867 · 2025-11-05T12:23:59.000Z
Closes gh-35753
diff --git a/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java b/spring-websocket/src/main/java/org/springframework/web/socket/sockjs/transport/TransportHandlingSockJsService.java
@@ -303,10 +303,15 @@ else if (transportType.supportsCors()) {
 			}
 			else {
 				Principal principal = session.getPrincipal();
-				if (principal != null && !principal.equals(request.getPrincipal())) {
-					logger.debug("The user for the session does not match the user for the request.");
-					response.setStatusCode(HttpStatus.NOT_FOUND);
-					return;
+				if (principal != null) {
+					// Compare usernames, not full equality (different login timestamps)
+					Principal currentPrincipal = request.getPrincipal();
+					if (!principal.equals(currentPrincipal) &&
+							(currentPrincipal == null || !principal.getName().equals(currentPrincipal.getName()))) {
+						logger.debug("The user for the session does not match the user for the request.");
+						response.setStatusCode(HttpStatus.NOT_FOUND);
+						return;
+					}
 				}
 				if (!transportHandler.checkSessionType(session)) {
 					logger.debug("Session type does not match the transport type for the request.");
