Hello,   I’m trying out how to secure the websocket communication between a SPA and a Spring Java backend. According to the specification it’s not possible to set the authorization header in the initial HTTP communication. Instead it’s often suggested to perform authentication and authorization in the STOMP communication afterwards.   I looked a bit at keycloak’s spring security adapter, but it seems to be very focused on the HttpFacade and I’m wondering if the right way forward is to fake this interface for STOMP or somehow re-implement something that validates the token similarly.   Here’s a link to Spring’s docs that leaves open the part about using the token from STOMP’s headers: https://github.com/spring-projects/spring-framework/blob/master/src/docs/...   Here’s a stackoverflow question about the problem. I’m not very fond of the alternative to send the token in the request’s URL as a query parameter, but it is indeed working correctly: https://stackoverflow.com/questions/30887788/json-web-token-jwt-with-spri...   Best regards, Tim Benke