IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

John Tamplin <jat@google.com> Mon, 30 August 2010 02:18 UTC

Return-Path: <jat@google.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C2CA3A659B for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 19:18:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.862
X-Spam-Level:
X-Spam-Status: No, score=-105.862 tagged_above=-999 required=5 tests=[AWL=0.114, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2cQyqrZqkoMD for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 19:18:31 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 1C2613A63C9 for <hybi@ietf.org>; Sun, 29 Aug 2010 19:18:31 -0700 (PDT)
Received: from kpbe19.cbf.corp.google.com (kpbe19.cbf.corp.google.com [172.25.105.83]) by smtp-out.google.com with ESMTP id o7U2J1qD020739 for <hybi@ietf.org>; Sun, 29 Aug 2010 19:19:01 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1283134742; bh=LmjHm340plDWiKlpgKhMEJVJh/s=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=j46pEkN7Kmn1FCeJ5qPhf+eORQ74mLanocedjNcLjQe72RKUIiz4Ol7smNZrIUAEX 9KpQiWiO9mfUc12PcSKmw==
Received: from gwaa20 (gwaa20.prod.google.com [10.200.27.20]) by kpbe19.cbf.corp.google.com with ESMTP id o7U2J0jt005121 for <hybi@ietf.org>; Sun, 29 Aug 2010 19:19:00 -0700
Received: by gwaa20 with SMTP id a20so1885920gwa.9 for <hybi@ietf.org>; Sun, 29 Aug 2010 19:19:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=MKJI8yBkyO21h8x9S/0/mFv1WTbxtwjHwa/RFU/X+vo=; b=HoE1sQN5JO026DiGNfvCfFsr0I8e4+pln+/SpsBe5Z7quecmvHUNzr+MJLi5ChEqIr hrEFT/xU+IUABketZpVA==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=mBkiBuZGoz7L5ic6RqPPm5I8Be3QPpFqc7WGGi7mhus3Y90pI05/PhYfXeqzmN6TWk 7srllwBmq1fYUvzI24Dw==
Received: by 10.150.148.19 with SMTP id v19mr4617054ybd.48.1283134740176; Sun, 29 Aug 2010 19:19:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.151.103.4 with HTTP; Sun, 29 Aug 2010 19:18:40 -0700 (PDT)
In-Reply-To: <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com>
From: John Tamplin <jat@google.com>
Date: Sun, 29 Aug 2010 22:18:40 -0400
Message-ID: <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: multipart/alternative; boundary="000e0cd4c790632254048f011658"
X-System-Of-Record: true
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 02:18:32 -0000

On Sun, Aug 29, 2010 at 8:44 PM, Greg Wilkins <gregw@webtide.com> wrote:

> I do not think servers will be a problem, since if you use a HTTP
> server that supports websockets, then it is very likely to just allow
> arbitrary HTTP conversations to take place before the upgrade (as you
> would have to do actual work to prevent that). Jetty certainly
> supports this.
>
> The problem will be the clients.  There is nothing compelling the
> clients to open websocket connections using their HTTP stacks, which
> may be capable of handling redirections, 401's, set-cookies and other
> HTTP stuff commonly used for authentication and authorization. Even if
> the clients do use their HTTP stacks for the websocket handshake,
> there are problems with some features (eg 401's) which need
> interaction from a user, as their may not be appropriate UI mechanisms
> associated with websocket.  So either you will need to develop your
> own client that you know will support the features that you want, or
> their has to be a commonly accepted set of HTTP features that commonly
> deployed websocket capable browsers will accept.
>
> My feeling is that the browsers vendors are less keen on supporting
> HTTP features on websocket handshakes, while the server vendors are
> very keen.  I think some time and experience with real deployments is
> needed for those two positions to converge.  Thus I think at this
> stage having the prohibition on such features removed is the best we
> can expect and that will allows  servers/browsers to experiment with
> supporting HTTP features.
>

I agree that we need to solve authentication with WebSockets, but it isn't
clear emulating HTTP Auth is the best answer.  Since the connection is under
program control and the program has presumably already authenticated itself
with the server, perhaps just providing a way to pass credentials to the
WebSocket constructor (which would then be passed in the handshake) would be
sufficient.  Of course that could always be done by client and server
agreement to send the credentials as the first message, though it may be
common enough to support it directly rather than having every app reinvent
it slightly differently.

-- 
John A. Tamplin
Software Engineer (GWT), Google

v2.23.0 | Report a Bug | By Email