I'm trying to use Spring Security with websockets. As an example I'm using spring-websocket-chat (https://github.com/salmar/spring-websocket-chat) — demo application from talk "Deep dive into websockets". In that application CookieHttpSessionStrategy uses for storing session id, stored during authentication cookie is sending with /info request. Here are code that demonstrates connecting to server via sockjs (this request sends cookies) https://github.com/salmar/spring-websocket-chat/blob/master/src/main/webapp/js/services.js. I wrote my own client that uses sockjs and stomp but there are no cookies sending during /info request. Here are my code

$connectButton.click(function () {
    var serverHost = $host.val();
    console.log("sockjs created");
    stomp = Stomp.over(new SockJS(serverHost));
    console.log("stomp over");
    stomp.connect({},
        function () {
            console.log("connected");
        },
        function () {
            console.log("error");
        })
    console.log("pressed");
});

As far as I know you cannot pass cookies to SockJS (especially with Same-origin policy). However with the latest SockJS 1.0.3 you can pass query parameters as a part of connection URL. Thus you can send some JWT token to authorize a session.

  var socket = new SockJS('http://localhost/ws?token=AAA');
  var stompClient = Stomp.over(socket);
  stompClient.connect({}, function(frame) {
      stompClient.subscribe('/topic/echo', function(data) {
        // topic handler
      });
    }
  }, function(err) {
    // connection error
  });

Now all the requests related to websocket will have parameter "?token=AAA"

http://localhost/ws/info?token=AAA&t=1446482506843

http://localhost/ws/515/z45wjz24/websocket?token=AAA

Then with Spring you can setup some filter which will identify a session using provided token.

PS cookies are picked up automatically when same origin for UI and server.