There is a minor bug in WebSocketServlet#headerContainsToken(HttpServletRequest, String, String) method. It always returns 'true'. The second return (at the bottom of the method body) should return 'false', i.e. there is no match.
Created attachment 28525 [details] headerContainsToken fix
Fixed in trunk and 7.0.x and will be included in 7.0.28 onwards.