On 11/08/2012 03:12, Greg Wilkins wrote:
> Danny,
>
> Good analysis.
>
> But just to clarify my position....
>
> I think that when a handhake is accepted, that is when the both a HTTP
> request and a Websocket endpoint exist at the same time. I think at that
> point the developer should copy any state that they want (eg UserPrincipal)
> from the request/session to the POJO that is the websocket endpoint.
> The state injected into the endpoint might just be a reference to the
> HttpSession (which is probably safe) or a reference to the ServletRequest
> (which is unsafe and will break). Of the point has the session, then it
> should be able to touch it to keep it alive and access attributes so as to
> be able to communicate with HTTP requests accessing the same session. But
> the key thing is that I don't think the EndPoint API should make the
> HttpSession explicitly available, as that introduces a portability issue
> and because it is easy to inject the session as the endpoint is created
> during the handshake.
+1
Mark