On 25 June 2012 20:44, Mark Thomas <markt_at_apache.org> wrote:
>
>> * Handshake: the API assumes the developer has minimal knowledge of
>> the details of the handshake process, save for the basic elements of
>> the URI, optional Origin check, subprotocol preferences. What's
>> missing ?
>
> I'm already seeing requests for pretty much everything available on the
> HttpServletRequest object. The general indication so far is that the WS
> API needs to be fairly low-level with the 'convenience' stuff left to
> the higher-level frameworks.
We are also seeing requests for pretty much everything:
+ headers
+ cookies
+ HttpSession
+ attributes
+ user identity / roles
Currently we keep copies of much of these for the duration of the
websocket - not sure that is a good thing.
More difficult is that we are now considering the multiplex extension,
which tunnels HTTP headers over websockets to open a new stream. The
problem is that it is very hard to replicate the handling of those
headers with regards to authentication and authorisation without
making a fake HTTP request/response and letting it propagate through
the container/filters etc.
I'm not sure how to solve that one, without duplicated all the
authentication/authorisation stuff in websockets.
regards
--
Greg Wilkins <gregw_at_intalio.com>
www.webtide.com
Developer advice, services and support
from the Jetty & CometD experts.