Currently the code path requires separate mechanisms for http and websockets. This means the guice scoping logic gets complicated for all business objects derived from SecurityContext/Exchange

For example lets say we are sending a cookie containing a JWT token. For Http we have written an Authentication mechanism which creates a security context and then a guice injector which gets the authenticated data from the security context Principal. 

Now if we need to support websockets, firstly the authentication mechanism is non existent. 

Another example is the Headers. In HttpServerExchange the headers are in a HeaderMap but for websockets it is a Map<String, List<String>>. The injection code that worked off HeaderMap now no longer work in Websocket context.

I feel like this can be improved if there are shared interfaces for these core objects across Http and Websockets so that it becomes easy for downstream code to re-use business object injection logic across the two