Skip navigation.

CometD Java Server Authorization

Java Server CometD API: Authorization

The Bayeux object can be configured with a org.cometd.SecurityPolicy object, which allows to control various steps of the Bayeux protocol such as handshake, subscription, publish, etc.
By default, the Bayeux object does not have a SecurityPolicy installed, which means that any operation is authorized.

The org.cometd.SecurityPolicy has a default implementation in org.cometd.server.AbstractBayeux$DefaultPolicy, that is useful as a base class in case of customization of the SecurityPolicy (see how authentication works for an example).

The org.cometd.SecurityPolicy methods are:

boolean canHandshake(Message message);

boolean canCreate(Client client, String channel, Message message);

boolean canSubscribe(Client client, String channel, Message message);

boolean canPublish(Client client, String channel, Message message);

The methods are self-speaking and control, respectively, if an handshake, a channel creation, a subscription to a channel and a publish to a channel are to be authorized.

The default implementation org.cometd.server.AbstractBayeux.DefaultPolicy:

  • allows any handshake
  • allows creation of channel only from clients that handshook and only if the channel is not a meta channel
  • allows subscription from clients that handshook, but not if the channel is a meta channels or the global channel wildcards /** and /*
  • allows publish from clients that handshook to any channel or from clients that want to handshake to the handshake meta channel only

To understand how to install your custom SecurityPolicy on the Bayeux object, see how it is done in the authentication howto.