https://docs.oracle.com/javaee/7/api/javax/websocket/server/ServerEndpointConfig.Configurator.html#checkOrigin-java.lang.String-
first it says " The platform default implementation of this method makes a check of the validity of the Origin header sent along with the opening handshake following the recommendation at: Sending the Server's Opening Handshake <http://tools.ietf.org/html/rfc6455#section-4.2>. " As far as we can test the websocket is always allowed. So what does tomcat do? I see the default implementation does just getContainerDefaultConfigurator https://github.com/eclipse-ee4j/websocket-api/blob/master/api/server/src/main/java/javax/websocket/server/ServerEndpointConfig.java#L155 and what is the default configurator? Also what i find weird about that message, but i guess nothing tomcat can really do about is the single param that you get.. What if we always want to allow if the origin and the host itself are the same But we only get the origin. So we have to have a configured list? Problem is that that is not so easy todo because our application can be deployed under many different domains by our customers. So i guess we can test it in the modifyHandshake but what should we do if we test the host and the origin? but should we then throw an exception? -- Johan Compagner Servoy
