问题
I am using embedded jetty on server side which will accept both http and websocket requests. I am using org.eclipse.jetty.security.authentication.FormAuthenticator for authenticating user. After user gets logged-in, my javascript code will open up a websocket connection with server. I want to know how server can authenticate this websocket client, to avoid accepting websocket connections from un-authorized clients(say, java client).
回答1:
Assuming you have setup the embedded jetty properly, it would use the same security constraints system of a normal webapp to validate the user role assigned to the url pattern for that websocket.
This would prevent the websocket upgrade from even occurring (being attempted on the server side) if the user isn't authenticated and setup with an authorized role for that websocket.
Know however that browsers behave very differently in scenario. You will likely not get a decent error message out of the javascript WebSocket object if there is an authentication or authorization issue. It will just fail anonymously with a client side only close code (such as 1006) and no close reason.
来源:https://stackoverflow.com/questions/27897990/how-to-authenticate-websocket-client-in-jetty