tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob DeRemer <bob.dere...@thingworx.com>
Subject RE: Does JSR-356 provide a way for a client to pass security info on connect?
Date Wed, 04 Sep 2013 21:44:01 GMT


> -----Original Message-----
> From: André Warnier [mailto:aw@ice-sa.com]
> Sent: Wednesday, September 04, 2013 3:59 PM
> To: Tomcat Users List
> Subject: Re: Does JSR-356 provide a way for a client to pass security info on
> connect?
> 
> Bob DeRemer wrote:
> > I'm curious if there's anything defined in JSR-356 to enable a client to pass
> some security claims in the connect that would allow me to perform an auth
> check - prior to actually establishing the websocket connection.
> >
> > In an attempt to avoid a websocket DOS, I'm looking to see whether we can
> do an auth check in the ServerEndpoint onOpen (or, possibly at an earlier
> stage) - before the actual websocket gets established.  I know we can do this at
> the application level in the onMessage, but it'd be good to handle this before
> setting up the actual websocket if possible.
> >
>  From a not really websocket specialist :
> As I recall, a websocket link starts with a normal HTTP request, which then gets
> upgraded to a websocket connection.  So it should be possible to do AAA at the
> initial HTTP stage, no ?
>  From an earlier thread a couple of weeks (?) ago, it seems however difficult to
> retrieve some of that HTTP-level information later, when the websocket
> connection is established.
> 

Exactly what I am hoping to do: the WebSocket spec outlines the HTTP Upgrade handshake process.
 During this handshake, a client should be able to send additional HTTP headers for this exact
purpose (i.e. cookies, auth tokens, etc.).  The server-side just needs an application-level
hook that can be called that can effectively link into the pipeline - allowing/rejecting the
establishment of the connection. 

So, the big question(s): 
1) does the tomcat client-side JSR impl provide a way to pass HTTP headers in the initial
upgrade handshake
2) does the tomcat server-side JSR impl provide a way to hook into the upgrade handshake and
effectively allow/reject the connection

> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message