Here's a few thoughts since this thread has sort of ended up talking
about web socket connections and Http Sessions.
HttpSession is only an embodiment of the sequence Http calls from the
same web client into the web server where the web sockets are, and from
our perspective, the opening handshakes from one web client to one or
more of the web sockets are some those calls. There might have been
several calls (including an authentication interaction) before the web
client sent each opening handshake. The same web client may have sent
several different opening handshakes, each for a different web socket.
There might be lots more plain http requests and/or opening handshakes
coming from the same web client before the day is done.
So we have one HttpSession per web client. Embodies all the http
requests it made. (some of them handshakes, some of them not).
Then, per web-socket-client-server pair, we have (logically) one
connection. We're modeling this in the API as a Session. The Session
appears with the Open frame, and dies when the connection ends.
So we have one Session per connection. Since each web client can create
multiple web-socket-clients, there are multiple Sessions for each
HttpSession. Since web developers often put all sorts of useful
information in the HttpSession, I think it'd be useful to expose this
into web socket sessions (as v003 of the API does).
How we relate the lifetimes of Sessions and HttpSessions is going to
depend in part how we want to do the security model for web sockets.
I'll throw out a few scenarios that perhaps we should make easy for
developers to create:-
1. if a web client has already authenticated with the server (using
one of the standard EE methods for example: HttpBasic, form or client
cert) then an opening handshake from the same client should be treated
as already authenticated.
2. it should be easy for a web socket developer to declare whether
access to a web socket server endpoint needs to be authenticated, and
who can access it, and if it needs an encrypted connection or not. Maybe
this is as simple as treating the ws:// URLs as falling under the same
security model as the web container uses for its web resources?
3. in a web application, if the client doesn't make any interactions
for a long time, but the web socket connections that the client opened
up are in use (or have not expired), then for many developers, this will
mean they think of the client as being still active, and it should be
easy configure things so that HttpSession does not expire on the web
sockets (maybe by 'touching it' as I think Greg suggested.
4. in a web application where all the resources require authentication
and an access check to access (web content and web socket content
alike), if the client 'logs out' then the client should not be able to
access any of the content any more (including the web sockets).
Do you agree ? Are there others ?
- Danny
On 8/9/12 8:43 AM, Joe Walnes wrote:
> I agree that sharing a full blown HttpSession introduces a lot of
> complexity, and if we can avoid it, we should.
>
> Authentication is really the only case I can think of where state
> needs to be shared, so maybe we can specifically handle this, rather
> than coming up with a general catch-all solution.
>
> If the EndPoint instance had access to the user principal (and maybe
> the URI and headers from the original request, to allow other pieces
> of information to be passed from a web-page to a WebSocket), that
> should me enough, right?
>
> On Thu, Aug 9, 2012 at 9:03 AM, Justin Lee <jlee_at_antwerkz.com
> <mailto:jlee_at_antwerkz.com>> wrote:
>
> i'm with greg on this one. In grizzly, we'd create a new
> WebSocket per connection and save state there. In the
> WebSocketApplication class, there was an overridable factory
> method that allowed for specialization at the application layer
> that let the app author do whatever was needed. With access into
> the Application from a WebSocket, state could be shared exposed as
> needed. I'm not entirely sure we need to work too hard to deal
> with things like shared credentials on multiple connections from a
> client since muxing alleviate that multiple connection problem
> when it lands. That said, it's up for debate how much we want to
> plan around impending features (that might be impending for a
> year+) or just design to what we have *now* that we know browsers
> and clients support.
>
>
> On Wed, Aug 8, 2012 at 7:56 PM, Joe Walnes <joe_at_walnes.com
> <mailto:joe_at_walnes.com>> wrote:
>
>
>
> On Wed, Aug 8, 2012 at 6:47 PM, Greg Wilkins
> <gregw_at_intalio.com <mailto:gregw_at_intalio.com>> wrote:
>
> On 5 August 2012 19:05, Mark Thomas <mark_at_homeinbox.net
> <mailto:mark_at_homeinbox.net>> wrote:
> > The question this raises for me is what is the mechanism
> going to be for
> > retaining state? i.e. what is the WebSocket equivalent
> of HttpSession
> > going to be? The follow-on question is how is state
> information
> > transferred between the WebSocketSession (for want of a
> better name
> > right now) and the HttpSession.
>
> In my websocket work to date, having websocket session has
> not been an
> issue as we create an EndPoint per connection as a new
> object that can
> hold state.
>
>
> That's true, but there's also some state that needs to be
> shared between connections such as authentication credentials.
>
>
>
>
> --
> You can find me on the net at:
> http://antwerkz.com <http://antwerkz.com/> http://antwerkz.com/+
> http://antwerkz.com/twitter http://antwerkz.com/github
>
>
--
<http://www.oracle.com> *Danny Coward *
Java EE
Oracle Corporation