You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by Michał Woś <mi...@leonisapps.pl> on 2014/08/21 12:53:53 UTC
CXF-5901 - Websocket should support not only CORS but other security
filters (OAuth)
Websocket upgrade request can be done from any origin and by anyone. I
can't find any security means to protect this particular request. Please
advise because I might be missing sth.
Kind regards,
Michał
Re: CXF-5901 - Websocket should support not only CORS but other security
filters (OAuth)
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi,
On 21/08/14 11:53, Michał Woś wrote:
> Websocket upgrade request can be done from any origin and by anyone. I
> can't find any security means to protect this particular request. Please
> advise because I might be missing sth.
>
The HTTP headers available at the upgrade request will be available to
CXF filters, in case of the OAuth2 client we'd have
Authorization: Bearer 123456
(or whatever the token type is)
and OAuth2 filter will take care of it, while the CORS filter will take
care of the origin restrictions/etc. I'm also presuming it would be
recommended to use a secure wss: protocol.
Does it sound right to you ?
Cheers, Sergey
> Kind regards,
> Michał