> -----Original Message----- > From: André Warnier [mailto:a...@ice-sa.com] > Sent: Wednesday, September 04, 2013 3:59 PM > To: Tomcat Users List > Subject: Re: Does JSR-356 provide a way for a client to pass security info on > connect? > > Bob DeRemer wrote: > > I'm curious if there's anything defined in JSR-356 to enable a client to > > pass > some security claims in the connect that would allow me to perform an auth > check - prior to actually establishing the websocket connection. > > > > In an attempt to avoid a websocket DOS, I'm looking to see whether we can > do an auth check in the ServerEndpoint onOpen (or, possibly at an earlier > stage) - before the actual websocket gets established. I know we can do this > at > the application level in the onMessage, but it'd be good to handle this before > setting up the actual websocket if possible. > > > From a not really websocket specialist : > As I recall, a websocket link starts with a normal HTTP request, which then > gets > upgraded to a websocket connection. So it should be possible to do AAA at the > initial HTTP stage, no ? > From an earlier thread a couple of weeks (?) ago, it seems however difficult > to > retrieve some of that HTTP-level information later, when the websocket > connection is established. >
Exactly what I am hoping to do: the WebSocket spec outlines the HTTP Upgrade handshake process. During this handshake, a client should be able to send additional HTTP headers for this exact purpose (i.e. cookies, auth tokens, etc.). The server-side just needs an application-level hook that can be called that can effectively link into the pipeline - allowing/rejecting the establishment of the connection. So, the big question(s): 1) does the tomcat client-side JSR impl provide a way to pass HTTP headers in the initial upgrade handshake 2) does the tomcat server-side JSR impl provide a way to hook into the upgrade handshake and effectively allow/reject the connection > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
