0

I am deploying CometD-3.0.1 in jetty-9.2.2.

I have my own filters which I want to call for every request. I have specified those filters in the web.xml in particular order.

But with WebSocket, containers have to find a way to handle the upgrade request. In Jetty, this is done by a servlet filter that is always added as first filter by a ServletContainerInitializer. So in my case, a upgrade request will never hit my filter, because the WS filter that's in the front of the chain will do the upgrade before hitting my filter.

What should I do so that my filters will be invoked first before the WS filters of Jetty ?

Thanks, Anuj

Joakim Erdfelt
  • 41,193
  • 5
  • 78
  • 124
Anuj Khandelwal
  • 785
  • 2
  • 10
  • 28

1 Answers1

2

In short, it is impossible to run a servlet filter on a websocket upgrade.

The choice in jetty to have WebSocket upgrade handled by a filter is just our particular implementation of the Servlet and WebSocket specs. Other implementations might use different techniques.

Theres 2 things to understand about this.

  1. If the container had configured WebSocket endpoints on known path mappings / path specs, then any upgrade request that arrives is handled BEFORE all servlet processing. Jetty chose to do this via an internal filter, other implementations do this with special processing before handling it off to the servlet chain.

  2. Servlet Filtering of websocket upgrades was discouraged early on in the servlet spec as most any changes a filter can do will cause problems to a websocket upgrade. There was brief talk about rejecting some code paths that were known to cause problems (like accessing the request content or response content, setting headers in the request or response, etc..) But this proved to be too invasive, so it was declared to be not possible and discouraged.

Now, you should know that if the websocket upgrade doesn't occur, and without an error, then the servlet processing chain does kick in for that request.

A typical problem here is that some folks have built their security around filters, this is good for Servlets, but not WebSockets.

If this is the case, then you have some work ahead of you.

Pick of of the following:

or

  • Implement your security using the security layers of the container (that always happen before any processing of websockets or servlets)
Joakim Erdfelt
  • 41,193
  • 5
  • 78
  • 124
  • Thanks for detailed explanation. As you mentioned that "Servlet Filtering of websocket upgrades was discouraged early on in the servlet spec". Can you point me to the spec or some link where this point is discussed ? – Anuj Khandelwal Sep 12 '14 at 10:15
  • In my case I am using CometD and deploying it into jetty...As you mentioned that "implement security using the security layers of the container"..... what are the security layers, i didn't get it ?.....Having said that, All I want is to use kerberos crediential with the websocket. How should I pass kerberos credientials with the request ? – Anuj Khandelwal Sep 15 '14 at 15:18
  • If you are using javascript in the browser, there's no known way with the existing Javascript WebSocket API to pass those credentials. (we can barely pass BASIC auth in the URL/URI with this API) – Joakim Erdfelt Sep 15 '14 at 15:35
  • > we can barely pass BASIC auth in the URL/URI with this API.....Could you please tell me how to pass basic auth headers in the URL ? and ALso as you mentioned in the answer : "implement security using the security layers of the container"..... How should I implement security using security layers of the container ?. – Anuj Khandelwal Sep 15 '14 at 15:41
  • ws://{user}:{password}@{host}/{path} – Joakim Erdfelt Sep 15 '14 at 16:12
  • As you mentioned in first workaround: I tried first option by passing my authentication headers in modifyHandshake(). but i got ava.lang.ClassCastException: org.eclipse.jetty.websocket.jsr356.server.JsrHandshakeRequest cannot be cast to javax.servlet.http.HttpServletRequest.....How should I set an header on this request ? Can you please elaborate on about how this can be done ? – Anuj Khandelwal Sep 22 '14 at 15:25