From 01231fe923659cfef2cb1e91b8b15ae6caf0da01 Mon Sep 17 00:00:00 2001
From: rstoyanchev <rstoyanchev@vmware.com>
Date: Wed, 12 Jan 2022 07:20:58 +0000
Subject: [PATCH] Minor refactoring in STOMP documentation

Closes gh-27906
---
 src/docs/asciidoc/web/websocket.adoc | 30 ++++++++++++++++------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/src/docs/asciidoc/web/websocket.adoc b/src/docs/asciidoc/web/websocket.adoc
index 74f4a0765840..c943dbe82756 100644
--- a/src/docs/asciidoc/web/websocket.adoc
+++ b/src/docs/asciidoc/web/websocket.adoc
@@ -1724,19 +1724,11 @@ HTTP session (which is then associated with WebSocket or SockJS sessions created
 for that user) and results in a user header being stamped on every `Message` flowing
 through the application.
 
-Note that the STOMP protocol does have `login` and `passcode` headers
-on the `CONNECT` frame. Those were originally designed for and are still needed,
-for example, for STOMP over TCP. However, for STOMP over WebSocket, by default,
-Spring ignores authorization headers at the STOMP protocol level, assumes that
-the user is already authenticated at the HTTP transport level, and expects that
-the WebSocket or SockJS session contain the authenticated user.
-
-NOTE: Spring Security provides
-https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
-that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
-Also, Spring Session provides
-https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
-that ensures the user's HTTP session does not expire while the WebSocket session is still active.
+The STOMP protocol does have `login` and `passcode` headers on the `CONNECT` frame.
+Those were originally designed for and are needed for STOMP over TCP. However, for STOMP
+over WebSocket, by default, Spring ignores authentication headers at the STOMP protocol
+level, and assumes that the user is already authenticated at the HTTP transport level.
+The expectation is that the WebSocket or SockJS session contain the authenticated user.
 
 
 
@@ -1814,6 +1806,18 @@ its own implementation of `WebSocketMessageBrokerConfigurer` that is marked with
 
 
 
+[[websocket-stomp-authorization]]
+=== Authorization
+
+Spring Security provides
+https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-authorization[WebSocket sub-protocol authorization]
+that uses a `ChannelInterceptor` to authorize messages based on the user header in them.
+Also, Spring Session provides
+https://docs.spring.io/spring-session/reference/web-socket.html[WebSocket integration]
+that ensures the user's HTTP session does not expire while the WebSocket session is still active.
+
+
+
 [[websocket-stomp-user-destination]]
 === User Destinations