As mentioned e.g. in the HTML5Rocks WebSockets tutorial,
The server decides whether to make its service available to all clients or only those that reside on a set of well defined domains.
Ok, how to do that with the Java API for WebSocket 1.0 (JSR 356) (running on Tomcat)?
See ServerEndpointConfig.Configurator#checkOrigin
Once registered, checkOrigin method will be called with "Origin" http header value as a parameter and then you can return true if its ok, or false, which should result in HTTP 403 - Origin not verified.
(please ignore any references to project Tyrus in javadoc, API (javax.websocket.*) is the same for all implementations).