Bob DeRemer wrote:
I'm curious if there's anything defined in JSR-356 to enable a client to pass
some security claims in the connect that would allow me to perform an auth
check - prior to actually establishing the websocket connection.
In an attempt to avoid a websocket DOS, I'm looking to see whether we can do an
auth check in the ServerEndpoint onOpen (or, possibly at an earlier stage) -
before the actual websocket gets established. I know we can do this at the
application level in the onMessage, but it'd be good to handle this before
setting up the actual websocket if possible.
From a not really websocket specialist :
As I recall, a websocket link starts with a normal HTTP request, which then gets upgraded
to a websocket connection. So it should be possible to do AAA at the initial HTTP stage, no ?
From an earlier thread a couple of weeks (?) ago, it seems however difficult to retrieve
some of that HTTP-level information later, when the websocket connection is established.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org