users@websocket-spec.java.net

[jsr356-users] [jsr356-experts] Re: Summary: relationship of WebSocket Session/HttpSession/Identity/web logout

From: Mark Thomas <mark_at_homeinbox.net>
Date: Fri, 07 Dec 2012 17:43:51 +0000

On 07/12/2012 00:56, Danny Coward wrote:
> OK, so in the spirit of trying to close out this discussion and find
> what is reasonable to require in the specification, what it looks like
> to me we are left with is this:-
>
> 1) The only association between websocket session and HttpSession is at
> opening handshake time. The API gives developers a convenient access to
> the HttpSession object at that point in time.
> 2) The user identity associated with the websocket Session is the user
> identity that was established at the opening handshake.

Do we want to expose this through the API?

> 3) If the server decides that authorization for this websocket resource
> by this user identity has ended (it expired, or some logout mechanism
> was invoked) then the websocket implementation must immediately close
> the connection.

Can we make this behaviour optional?

Mark