Affects Version/s: None
Fix Version/s: None
In JavaEE 7 we have some security problems with WebSocket.
An authenticated session, with a valid Session.getUserPrincipal()
doesn't authenticates in the container on websocket events, so EJB / CDI calls are unauthenticated.
I've tested with WildFly 8.2.0 and GlassFish 4.1, with a sample app
which calls EJB methods from @onOpen, @onClose and @onMessage.
Although we can workaround these issues with interceptors and vendor
specific security managers, it's a common use case for JavaEE applications and an important requirement for cloud/SaaS applications.
I've created an open-source library to get workaround these problems in
JBoss/WildFly. It's called "JBoss Security Extended" and is available on maven central with GAV "com.github.panga:jboss-security-extended:1.0.0".