Skip to main content

[jsr356-experts] Re: [jsr356-users] Re: Re: WebSocket Session/HttpSession

  • From: Greg Wilkins < >
  • To:
  • Subject: [jsr356-experts] Re: [jsr356-users] Re: Re: WebSocket Session/HttpSession
  • Date: Thu, 29 Nov 2012 18:49:35 +1100

Unfortunately even form authentication does not have the same
lifecycle as HTTP Session.

Sure if the HTTPSession is invalidated then then a form Auth user is
logged out.  But a users authentication/authorization can be revoked
during the life of a HttpSession (eg their credit expires in some
central JAAS server).   For that reason Form auth will often store the
credentials in the session and revalidate them on every request.
Basic/Digest authentication revalidate on each request by their
nature.

I really don't think we want to get into that situation for websocket,
as it could be a considerable burden to validate credentials on every
message received before calling any handlers.   If we don't validate
on every message, then we are essentially saying that the identity
associated with every message is the identity as it was established
during the handshake - in which case I don't think we should be
associating with the HTTPsession (unless the application does so
explicitly).

Or maybe we do want to validate the identity on every message and just
warn users that constraint protected messages can be very expensive?

cheers


-- 
Greg Wilkins 
< >
http://www.webtide.com
Developer advice and support from the Jetty & CometD experts.


[jsr356-experts] Re: WebSocket Session/HttpSession

Greg Wilkins 11/01/2012

[jsr356-experts] Re: WebSocket Session/HttpSession

Danny Coward 11/02/2012

[jsr356-experts] Re: WebSocket Session/HttpSession

Mark Thomas 11/03/2012

[jsr356-experts] Re: [jsr356-users] Re: WebSocket Session/HttpSession

Danny Coward 11/08/2012

[jsr356-experts] Re: [jsr356-users] Re: WebSocket Session/HttpSession

Mark Thomas 11/09/2012

[jsr356-experts] Re: [jsr356-users] Re: WebSocket Session/HttpSession

Danny Coward 11/13/2012

[jsr356-experts] Re: [jsr356-users] Re: WebSocket Session/HttpSession

Mark Thomas 11/14/2012

[jsr356-experts] Re: [jsr356-users] Re: Re: WebSocket Session/HttpSession

Danny Coward 11/15/2012

[jsr356-experts] Re: [jsr356-users] Re: Re: WebSocket Session/HttpSession

Mark Thomas 11/24/2012

[jsr356-experts] Re: [jsr356-users] Re: Re: WebSocket Session/HttpSession

Greg Wilkins 11/29/2012
 
 
Close
loading
Please Confirm
Close