You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Gismor3 <gi...@gmail.com> on 2012/09/19 00:04:31 UTC

WebSocketServlet BASIC auth

Hello everybody,

I'm testing a web application to use WebSocket with Tomcat 7.0.30.

I would like my WebSocket connection to be protected and accessible only
from authenticated user. In particular I would like to use the BASIC
authentication.

>From what I understand I thought that by adding the security-constraint to
the web.xml would be enough. So basically I have added this to the web.xml
file:

<security-constraint>
<web-resource-collection>
<web-resource-name>Galaxy</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
  <realm-name>testDS</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>

unfortunately that doesn't work, and without any problem I can connect to
the websocket channel without any authentication.

What do I need to do in order to restrict the access to the application?
Thanks in advance

Re: WebSocketServlet BASIC auth

Posted by Mark Thomas <ma...@apache.org>.

On 18/09/2012 23:04, Gismor3 wrote:

> What do I need to do in order to restrict the access to the application?
> Thanks in advance

The WebSocket protocol does not include any concept of an authentication
challenge. I tested this recently and the browsers drop the connection
if they get a 401 response.

To get this working with Tomcat, the following *should* work but is
untested.

1. Create an HTTP session.
2. Authenticate the user
3. Start the web socket connection.

Provided the user/session is already authenticated, you should be able
to protect the WebSocket endpoints using normal Servlet security in web.xml.

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org