On 07/12/2012 00:56, Danny Coward wrote:
> OK, so in the spirit of trying to close out this discussion and find
> what is reasonable to require in the specification, what it looks like
> to me we are left with is this:-
>
> 1) The only association between websocket session and HttpSession is at
> opening handshake time. The API gives developers a convenient access to
> the HttpSession object at that point in time.
> 2) The user identity associated with the websocket Session is the user
> identity that was established at the opening handshake.
Do we want to expose this through the API?
> 3) If the server decides that authorization for this websocket resource
> by this user identity has ended (it expired, or some logout mechanism
> was invoked) then the websocket implementation must immediately close
> the connection.
Can we make this behaviour optional?
Mark