tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Does JSR-356 provide a way for a client to pass security info on connect?
Date Wed, 04 Sep 2013 19:59:29 GMT
Bob DeRemer wrote:
> I'm curious if there's anything defined in JSR-356 to enable a client to pass some security
claims in the connect that would allow me to perform an auth check - prior to actually establishing
the websocket connection.
> 
> In an attempt to avoid a websocket DOS, I'm looking to see whether we can do an auth
check in the ServerEndpoint onOpen (or, possibly at an earlier stage) - before the actual
websocket gets established.  I know we can do this at the application level in the onMessage,
but it'd be good to handle this before setting up the actual websocket if possible.
> 
 From a not really websocket specialist :
As I recall, a websocket link starts with a normal HTTP request, which then gets upgraded

to a websocket connection.  So it should be possible to do AAA at the initial HTTP stage,
no ?
 From an earlier thread a couple of weeks (?) ago, it seems however difficult to retrieve

some of that HTTP-level information later, when the websocket connection is established.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message