tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Does JSR-356 provide a way for a client to pass security info on connect?
Date Wed, 04 Sep 2013 19:59:29 GMT
Bob DeRemer wrote:
> I'm curious if there's anything defined in JSR-356 to enable a client to pass some security
claims in the connect that would allow me to perform an auth check - prior to actually establishing
the websocket connection.
> In an attempt to avoid a websocket DOS, I'm looking to see whether we can do an auth
check in the ServerEndpoint onOpen (or, possibly at an earlier stage) - before the actual
websocket gets established.  I know we can do this at the application level in the onMessage,
but it'd be good to handle this before setting up the actual websocket if possible.
 From a not really websocket specialist :
As I recall, a websocket link starts with a normal HTTP request, which then gets upgraded

to a websocket connection.  So it should be possible to do AAA at the initial HTTP stage,
no ?
 From an earlier thread a couple of weeks (?) ago, it seems however difficult to retrieve

some of that HTTP-level information later, when the websocket connection is established.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message