The WebSocket upgrade is typically done before anything
else.
That includes cookie management, authentication,
parameter handling, content-type handling, content-encoding
handling, etc ...
Typically, the WebSocket upgrade is done via a
WebSocketUpgradeFilter (which sits first in line of the filter
chain).
But in your specific case, I would recommend NOT using
javax.websocket API, and use the Jetty WebSocket API instead.
Register your own custom WebSocketCreator implementation
that works within your web app.
That way you are in (limited) control over what the upgrade
does.
I say limited, as there are many things not supported
during the websocket upgrade handshake, and using the
WebSocketCreator handles much of that for you (eg: many
standard HTTP Response headers are forbidden during websocket
upgrade).
To use this, you would continue to use the
WebSocketUpgradeFilter and add path mappings to your custom
creator (be it Servlet url-pattern, or Regex, and even Uri
Template path mappings).