In JavaEE 7 we have some security problems with WebSocket.
An authenticated session, with a valid Session.getUserPrincipal()
doesn't
authenticates in the container on websocket events, so EJB / CDI calls
are unauthenticated.
I've tested with WildFly 8.2.0 and GlassFish 4.1, with a sample app
which
calls EJB methods from @onOpen, @onClose and @onMessage.
Although we can workaround these issues with interceptors and vendor
specific security managers, it's a common use case for JavaEE
applications and an important requirement for cloud/SaaS applications.
I've created an open-source library to get workaround these problems in
JBoss/WildFly.
It's called "JBoss Security Extended" and is available on maven central
with GAV "com.github.panga:jboss-security-extended:1.0.0".
Library source and docs:
https://github.com/panga/jboss-security-extended
WebSocket sample app source using library:
https://github.com/panga/websocket-auth
What do you guys think?
Best Regards,
Leonardo Zanivan