如何在码头验证Websocket客户端? [英] How to authenticate websocket client in jetty?

查看:210
本文介绍了如何在码头验证Websocket客户端?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在服务器端使用嵌入式码头,该码头将同时接受http和websocket请求.我正在使用 org.eclipse.jetty.security.authentication.FormAuthenticator 对用户进行身份验证.用户登录后,我的JavaScript代码将打开与服务器的Websocket连接.我想知道服务器如何验证此websocket客户端,以避免接受来自未授权客户端(例如java客户端)的websocket连接.

I am using embedded jetty on server side which will accept both http and websocket requests. I am using org.eclipse.jetty.security.authentication.FormAuthenticator for authenticating user. After user gets logged-in, my javascript code will open up a websocket connection with server. I want to know how server can authenticate this websocket client, to avoid accepting websocket connections from un-authorized clients(say, java client).

推荐答案

假设您正确设置了嵌入式码头,它将使用与普通Web应用程序相同的安全性约束系统来验证为此分配给url模式的用户角色网络套接字.

Assuming you have setup the embedded jetty properly, it would use the same security constraints system of a normal webapp to validate the user role assigned to the url pattern for that websocket.

如果未对用户进行身份验证并使用该websocket的授权角色进行设置,这将防止websocket升级(在服务器端尝试).

This would prevent the websocket upgrade from even occurring (being attempted on the server side) if the user isn't authenticated and setup with an authorized role for that websocket.

但是请注意,浏览器在情况下的行为会大不相同.如果存在身份验证或授权问题,您可能不会从javascript WebSocket对象中收到不错的错误消息.它将以匿名方式仅在客户端关闭代码(例如1006)且没有关闭原因的情况下匿名失败.

Know however that browsers behave very differently in scenario. You will likely not get a decent error message out of the javascript WebSocket object if there is an authentication or authorization issue. It will just fail anonymously with a client side only close code (such as 1006) and no close reason.

这篇关于如何在码头验证Websocket客户端?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆