[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [servlet-dev] WebSocket and HttpSession
|
- From: Manfred Riem <m_riem@xxxxxxxxxxx>
- Date: Thu, 8 Jun 2023 18:27:18 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=imH2ND2C8cNSMPHITimywq4DyCkcPNv2nMvORAoaAqg=; b=BL9J/9mn35ya5WZSbzEDtQqsvxrLaTxxKHEXPqNHJ+4BdDB3pXH+o32w1wUxpGPSPjLO7N6PHuBE9ZpE7HJfhWcIJAUXBBUSH7NQQXeF9VS+KE4WGINaDi3nsekSkOI2NrDAtZFipayWO4CbUD/RRebEGoo7d7XRlxpfmyIS/Trij9iY/itBrzlQTpG8nagDTZMrtEuWs4xBOap7oM5VUHml7X2ib46u71g7jHfp7xEpy28ddWTPZ5JBkgoN2uUdX6gNWDSzRRRi/oqKidP8SXESiMIFKmtZfsHoZzgq/eB6WLYeouck4k1xP9MuxBMmPSGrrptCMn+DQlzleUeNcw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LTBNDS+Dqa1PMyvWDrX214j+yjEdNCsjQxoCSesyQSfyy7lGrylKv0f5qALJKLgvGJb6AIwBaAWsGz+kVVAcZ8OXoFP5WbqarJk0Xjd8R05WCEsblQ6J5qb5JTxuKAu2J1brICoaMDNBxeMK4Iwsq6x21R+dX4GzIKrqqRO+bdrkCuTAHkhzxsOpGQAaulFBicstFci978gRiDmetDmp//8yMkXyYXHwFlA8gndaF/hCF2g/QIH3zpZGeQtb1WF42Ocwi9ODl/DWXYZxvDLXCzVen2t1Wftx2/63WkSZUSpLkxFf/FN9qKPG8eLzozd/ADdKOj341j8d59wq/QsPWg==
- Delivered-to: servlet-dev@xxxxxxxxxxx
- List-archive: <https://www.eclipse.org/mailman/private/servlet-dev/>
- List-help: <mailto:servlet-dev-request@eclipse.org?subject=help>
- List-subscribe: <https://www.eclipse.org/mailman/listinfo/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=subscribe>
- List-unsubscribe: <https://www.eclipse.org/mailman/options/servlet-dev>, <mailto:servlet-dev-request@eclipse.org?subject=unsubscribe>
- Thread-index: AQHZmiINqBArDqSrJEOllyvyXuIj5q+BEaXAgAAbzYCAAAp9AA==
- Thread-topic: [servlet-dev] WebSocket and HttpSession
Hi Mark,
Once the original request is upgraded that authentication should not be propagated by the Servlet layer.
If the developer wants to do something here, they should do that as part of the upgrade handler.
Which means for WebSocket the WebSocket folks should address this in the WebSocket specification if they choose to do so.
This does NOT belong to Servlet specification to solve.
Manfred
-----Original Message-----
From: servlet-dev <servlet-dev-bounces@xxxxxxxxxxx> On Behalf Of Mark Thomas
Sent: Thursday, June 8, 2023 12:44 PM
To: servlet-dev@xxxxxxxxxxx
Subject: Re: [servlet-dev] WebSocket and HttpSession
On 08/06/2023 17:10, Manfred Riem wrote:
> Hi Mark,
>
> Once you do a protocol upgrade one should not try to use anything that had to do with the original Servlet request.
>
> If someone wants 'session' management then they should implement that as part of their WebSocket application.
Ideally, yes. Unfortunately that breaks down if access to the WebSocket endpoint is authenticated as the original HTTP request is then authenticated and that authentication process is linked to the HTTP session.
There are lots of different strategies for handling this. I'm not advocating for any one strategy. I am aiming for the minimal change to the Servlet and/or WebSocket specs that would allow developers to implement their strategy of choice.
Mark
>
> Anyway my 2 dollars (inflation and all)
>
> Thanks!
>
> Kind regards,
> Manfred Riem
>
> -----Original Message-----
> From: servlet-dev <servlet-dev-bounces@xxxxxxxxxxx> On Behalf Of Mark
> Thomas
> Sent: Thursday, June 8, 2023 10:58 AM
> To: servlet developer discussions <servlet-dev@xxxxxxxxxxx>
> Subject: [servlet-dev] WebSocket and HttpSession
>
> Hi all,
>
> I'd like to see if we can find a way to resolve a long standing WebSocket issue. The full detail can be found in this issue:
> https://github.com/jakartaee/websocket/issues/175
>
> The short version is that a WebSocket session that retains a reference to the Servlet HttpSession in place when the WebSocket handshake took place needs a way to indicate that it is using the session and that the session should not be invalidated for inactivity.
>
> My proposal is to add the following method to HttpSession:
>
> public void access()
>
>
> Calling this method would update the last accessed time to the current time.
>
> The circumstances in which a WebSocket application may call this method would be left as an application concern as different applications are likely to want to adopt different strategies.
>
> Thoughts?
>
> Mark
> _______________________________________________
> servlet-dev mailing list
> servlet-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/servlet-dev
> _______________________________________________
> servlet-dev mailing list
> servlet-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/servlet-dev
_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev