I am using SimpUserRegistry
to get online user-count (with getUserCount()
). And it is working good on my local machines but not on AWS EC2 instances (tried with Amazon Linux and Ubuntu) with just elastic IP and no load balancer.
The problem on EC2 is that some users, when connected, are never added to the registry and thus I get wrong results.
I have session listeners, for SessionConnectedEvent
and SessionDisconnectEvent
, where I use the SimpUserRegistry
(autowired) to get the user presence. If it matters, I am also SimpUserRegistry
is a messaging controller.
Below is the websocket message broker config:
@Order(Ordered.HIGHEST_PRECEDENCE + 99)
@RequiredArgsConstructor(onConstructor = @__(@Autowired))
public class WebSocketMessageBrokerConfig extends AbstractWebSocketMessageBrokerConfigurer {
private SecurityChannelInterceptor securityChannelInterceptor;
public void configureMessageBroker(MessageBrokerRegistry config) {
ThreadPoolTaskScheduler threadPoolTaskScheduler = new ThreadPoolTaskScheduler();
config.enableSimpleBroker("/queue/", "/topic/")
.setHeartbeatValue(new long[] {1000, 1000});
public void registerStompEndpoints(StompEndpointRegistry registry) {
public void configureClientInboundChannel(ChannelRegistration registration) {
And below is the channel interceptor used in above config class:
@RequiredArgsConstructor(onConstructor = @__(@Autowired))
public class SecurityChannelInterceptor extends ChannelInterceptorAdapter {
private SecurityService securityService;
private String authTokenHeader;
public Message<?> preSend(Message<?> message, MessageChannel channel) {
StompHeaderAccessor accessor = MessageHeaderAccessor.getAccessor(message, StompHeaderAccessor.class);
StompCommand command = accessor.getCommand();
if (StompCommand.CONNECT.equals(command)) {
List<String> authTokenList = accessor.getNativeHeader(authTokenHeader);
if (authTokenList == null || authTokenList.isEmpty()) {
throw new AuthenticationFailureException("STOMP " + command + " missing " + this.authTokenHeader + " header!");
String accessToken = authTokenList.get(0);
AppAuth authentication = securityService.authenticate(accessToken);
log.info("STOMP {} authenticated. Authentication Token = {}", command, authentication);
Principal principal = accessor.getUser();
if (principal == null) {
throw new RuntimeException("StompHeaderAccessor did not set the authenticated User for " + authentication);
return message;
I also have following scheduled task which simply prints the user names every two seconds:
@AllArgsConstructor(onConstructor = @__(@Autowired))
public class UserRegistryLoggingTask {
private SimpUserRegistry simpUserRegistry;
@Scheduled(fixedRate = 2000)
public void logUsersInUserRegistry() {
Set<String> userNames = simpUserRegistry.getUsers().stream().map(u -> u.getName()).collect(Collectors.toSet());
log.info("UserRegistry has {} users with IDs {}", userNames.size(), userNames);
And some user names never show up even when connected.
The implementation of SecurityService
class -
@AllArgsConstructor(onConstructor = @__(@Autowired))
public class SecurityService {
private UserRepository userRepository;
private UserCredentialsRepository userCredentialsRepository;
private JwtHelper jwtHelper;
public User getUser() {
AppAuth auth = (AppAuth) SecurityContextHolder.getContext().getAuthentication();
User user = (User) auth.getUser();
return user;
public AppAuth authenticate(String accessToken) {
String username = jwtHelper.tryExtractSubject(accessToken);
if (username == null) {
throw new AuthenticationFailureException("Invalid access token!");
User user = userRepository.findByUsername(username);
if (user == null) {
throw new AuthenticationFailureException("Invalid access token!");
AppAuth authentication = new AppAuth(user);
return authentication;
Following is an example of SockJS logs on browser -
Correct response from server with user-name
Incorrect response from server with no user-name
I have also verified that the SecurityChannelInterceptor
is authenticating all the users, even when the user-name
is not in the CONNECTED
I deployed the app on heroku. And the issue is happening there as well.
When issue occurs, user
in SessionConnectEvent
is the one set by SecurityChannelInterceptor
but user
in SessionConnectedEvent
is null
class -
public class AppAuth implements Authentication {
private final User user;
private final Collection<GrantedAuthority> authorities;
public AppAuth(User user) {
this.user = user;
this.authorities = Collections.singleton((GrantedAuthority) () -> "USER");
public User getUser() {
return this.user;
public String getName() {
return user.getId();
public Collection<? extends GrantedAuthority> getAuthorities() {
return authorities;
public Object getCredentials() {
return null;
public Object getDetails() {
return null;
public Object getPrincipal() {
return new Principal() {
public String getName() {
return user.getId();
public boolean isAuthenticated() {
return true;
public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
I was able to track the issue after some debugging by adding a few logger statements in the StompSubProtocolHandler
After finding the cause, conclusion was that a channel-interceptor is not a correct place to authenticate an user. At least for my use-case.
Following are some of the code snippets from StompSubProtocolHandler
The handleMessageFromClient
method adds the user to the stompAuthentications
map and publishes a SessionConnectEvent
event -
public void handleMessageFromClient(WebSocketSession session, WebSocketMessage<?> webSocketMessage, MessageChannel outputChannel) {
boolean sent = outputChannel.send(message);
if (sent) {
if (isConnect) {
Principal user = headerAccessor.getUser();
if (user != null && user != session.getPrincipal()) {
this.stompAuthentications.put(session.getId(), user);
if (this.eventPublisher != null) {
if (isConnect) {
publishEvent(new SessionConnectEvent(this, message, getUser(session)));
And the handleMessageToClient
retrieves the user from the stompAuthentications
map and publishes a SessionConnectedEvent
public void handleMessageToClient(WebSocketSession session, Message<?> message) {
SimpAttributes simpAttributes = new SimpAttributes(session.getId(), session.getAttributes());
Principal user = getUser(session);
publishEvent(new SessionConnectedEvent(this, (Message<byte[]>) message, user));
method used by above methods -
private Principal getUser(WebSocketSession session) {
Principal user = this.stompAuthentications.get(session.getId());
return user != null ? user : session.getPrincipal();
Now, the problem occurs when the handleMessageToClient
snippet executes before the handleMessageFromClient
snippet. In this case, user is never added to the DefaultSimpUserRegistry
, as it only checks the SessionConnectedEvent
Below is the event listener snippet from DefaultSimpUserRegistry
public void onApplicationEvent(ApplicationEvent event) {
else if (event instanceof SessionConnectedEvent) {
Principal user = subProtocolEvent.getUser();
if (user == null) {
The solution is to extend DefaultHandshakeHandler
and override determineUser
method, which is based on this answer. But, as I am using SockJS, this requires the client to send auth-token as a query parameter. And the reason for the query parameter requirement is discussed here.