Is Tyrus nessary to implement Java WebSocket authentication?

1.2k views Asked by At

Although there's very similar post, it is unanswered.

My JavaFX app with WebSocket will

  1. send user id、password to server
  2. keep the session to let user do something like personal data management.

Learning from

Oracle WebSocketTyrus 8.14 Client HTTP Authentication

I have:

@ClientEndPoint
public class loginEndPoint {
    final ClientEndpointConfig cec = ClientEndpointConfig.Builder.create().build();

    public static void main(String [] args) {
        AuthConfig authConfig = AuthConfig.Builder.create().disableBasicAuth().build();
        Credentials credentials = new Credentials("ws_user", "password");
        client.getProperties().put(ClientProperties.AUTH_CONFIG, authConfig);
        client.getProperties().put(ClientProperties.CREDENTIALS, credentials);

        client.connectToServer(new Endpoint() {

            @Override
            public void onOpen(Session session, EndpointConfig config) {
                try {
                    session.addMessageHandler((MessageHandler.Whole<String>) (String message) -> {
                        System.out.println("Received message: "+message);
                        messageLatch.countDown();
                    });
                    //let user do some data management
                } catch (IOException e) {
                    System.out.println("Connect Fail.");
                }
            }
        }, cec, new URI("ws://localhost/myApp/login"));
    }
}

Is these code right to do the authentication? And where could I do the server side authentication on @ServerEndPoint?

@ServerEndpoint
public class loginServerEndPoint {
}

Thanks for help.

1

There are 1 answers

2
ondrej kosatka On

No, it is not necessary to use Tyrus as a server implementation. On the server-side you should secure WebSocket in exactly the same way as you secure servlet or jsp in your servlet container, which can be slightly different from container to container (mapping users to roles). Look at authentication example Note that this example shows up how to make authenticated WebSocket request handshake with BASIC auth scheme, but your client code disables it explicitly, so probably you want to use DIGEST scheme.