Vaadin 23.2 Upgrade Custom WebSocket Not Working

I upgraded my project to Vaadin 23.2 and also updated the the Security Configuration to the new VaadinWebSecurity. I did not change anything in the config.

Since then my custom WebSocket is returning the following when connecting (and therefore not working anymore):

for(;;);[{"meta":{"async":true,"sessionExpired":true}}]

This seems like some Vaadin related response. Maybe Vaadin is overwriting my custom socket configuration.

WebSocket

@Configuration
@EnableWebSocket
@RequiredArgsConstructor
public class WebsocketConfig implements WebSocketConfigurer {

    private final WebsocketHandler websocketHandler;

    @Override
    public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
        registry
                .addHandler(websocketHandler, SecurityConfiguration.WEBSOCKET)
                .setAllowedOriginPatterns("*")
                .addInterceptors(new HandshakeInterceptor() {
...

Vaadin doesn’t overwrite it, but it’s highly possible that you have to change something because of the Spring Security change to SecurityFilterChain. Looks like Ordering could be a problem here.

My http configure looks smth like this. I am not sure what to change.

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);

        http.authorizeRequests()
                .antMatchers(WEBSOCKET+"/**").permitAll();
    

        super.configure(http);

        setLoginView(http, LoginView.class, "/login");



        http.csrf().disable();
    }

You can create your own SecurityFilterChain with an higher order

But then I cannot use VaadinWebSecurity, which means I have to copy the logic of this class which is also not working since it is using internal functions.

That’s not true - Vaadin’s new VaadinWebSecurity is based on SecurityFilterChain as well and therefore multiple SecurityFilterChain can be registered and used in conjunction.

I am not able to figure out how to get it running.
I created a simple sample application here.

If anyone has an idea how to correctly register the custom WebSocket Handler in another SecurityFilterChain let me know.

Update for anyone else looking:
This is a bug, workaround available:
https://github.com/vaadin/flow/issues/14602