WebSockets are secured using the web container security model. A WebSockets developer can declare whether the access to the WebSocket server endpoint needs to be authenticated, who can access it, or if it needs an encrypted connection.
A WebSockets endpoint which is mapped to a ws://
URI is protected under the deployment descriptor with http:// URI
with the same hostname,port
path since the initial handshake is from the HTTP connection. So, WebSockets developers can assign an authentication scheme, user roles, and a transport guarantee to any WebSockets endpoints.
We will take the same sample as we saw in Chapter 2, WebSockets and Server-sent Events, and make it a secure WebSockets application.
Here is the web.xml
for a secure WebSocket endpoint:
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0...