Java Reference
In-Depth Information
but only one connection should be used. Socket connection is expensive, and too many
socket connections from each client will reduce application scalability.
Security should be a top concern when developing a WebSocket endpoint. Hacking can in-
volve either breaking into a system or overwhelming it with a denial-of-service attack. It's
important to set the maximum size on messages. A hacker may craft a script that attempts
to stream gigabytes of invalid data to a WebSocket endpoint. This will have a net effect of
starving resources to legitimate users. Additionally, unless an endpoint is meant to be pub-
lically available, it should be secured and require an authenticated session. Lastly, security
WebSockets (wss) should be used to lock down and secure data. If wss isn't used, data is
transmitted over the wire in plain text, meaning it can be easily intercepted, changed, and
so on. Even if a page is requested using HTTPS, opening a WebSocket connection using
ws: will result in an unencrypted socket connection being created. Now that you have a
handle on best practices, it's time to wrap up the chapter.
14.6. Summary
This chapter began by introducing WebSockets and comparing them to AJAX and Comet.
Unlike either AJAX or Comet, WebSockets provide full duplex bidirectional communica-
tion between the browser and server. WebSockets were introduced with HTML5 and, un-
like Comet, which contorts existing technologies to enable the server to send messages
without an initial request from the client, WebSockets are fully standardized and widely
supported. WebSockets use the existing HTTP infrastructure and are thus compatible with
existing firewalls.
Java EE 7 included standardized support for WebSockets via JSR-356. WebSockets can be
defined either programmatically or via annotations. The programmatic approach is more
flexible and enables control over the creation of the endpoint, as well as separation between
the endpoint and the message handler. Annotated endpoints are easy to use. With annotated
endpoints, just annotate a POJO with
@ServerEndpoint
and provide at least one meth-
od annotated with
@OnMessage
.
The WebSocket API supports the registration of message encoders and decoders. Encoders
and decoders simplify development and allow for the message handler to receive Java ob-
jects instead of a raw stream. But a message handler can also receive plain text or an input
stream of bytes. It can also optionally wait for the entire message or process the message
