[jsr356-users] [jsr356-experts] Re: Summary: relationship of WebSocket Session/HttpSession/Identity/web logout
- From: Mark Thomas <
- Subject: [jsr356-users] [jsr356-experts] Re: Summary: relationship of WebSocket Session/HttpSession/Identity/web logout
- Date: Fri, 07 Dec 2012 17:43:51 +0000
- List-id: <jsr356-experts.websocket-spec.java.net>
On 07/12/2012 00:56, Danny Coward wrote:
> OK, so in the spirit of trying to close out this discussion and find
> what is reasonable to require in the specification, what it looks like
> to me we are left with is this:-
> 1) The only association between websocket session and HttpSession is at
> opening handshake time. The API gives developers a convenient access to
> the HttpSession object at that point in time.
> 2) The user identity associated with the websocket Session is the user
> identity that was established at the opening handshake.
Do we want to expose this through the API?
> 3) If the server decides that authorization for this websocket resource
> by this user identity has ended (it expired, or some logout mechanism
> was invoked) then the websocket implementation must immediately close
> the connection.
Can we make this behaviour optional?