I'm securing my WebSocket API with a @WebFilter which authenticate the HTTP request and retrieve the userPrincipal from a datasource, then wrap the request in a HttpServletRequestWrapper which would return the authenticated user and resolve its roles correctly.

I can access that through getUserPrincipal() from the HandshakeRequest in a custom configurator, but Session.getUserPrincipal() always returns null, as if Session was ignoring the wrapped request.