On 08/06/2015 12:38 PM, Heiko W.Rupp wrote:
> That provides only a small part of the whole authentication
scheme,
> though: given that a WebSocket can potentially live for a very long time
> (hours, or even days), it's likely that a session might expire during
> the lifetime of the socket connection. So, this connection has to be
> "somehow" refreshed or killed.
What do you mean by session expiring (which session)?
The HTTP session. For instance, if the user has performed a "single sign
out". Then, the user should be logged out of all applications.
What may possibly more a cause for concern is that a Hawkular user
may
have a WS-connection open and the user is removed from the user
database. In this case we may want to invalidate all tokens/grants and
also forcefully disconnect the WS.
That's a good variant for the above scenario.
- Juca.