[rabbitmq-discuss] Web-STOMP plugin - Authentication with SSL Client Certificates

Andrei andrei002 at gmail.com
Fri Jun 20 14:09:57 BST 2014


Hello again!

There is nothing more permanent than temporary solutions in software.
> We cannot later tell our commercial customers "you know guys, that feature
> that your app is built on, it was temporary. Good luck with upgrading!"
>

Okay, agreed, now let me rephrase it then: this solution could be made
permanent and marketed as an additional feature, so besides authenticating
using the Websocket connect function, basic authentication via HTTP headers
will also be available. :)

HTTPS should give you a reasonable protection from tampering and MITM.
> Making your credentials user-specific and "tokens" that you use to obtain
> "real" credentials ephemeral should protect reasonably well from malicious
> users.
>

The thing that I don't like about this scheme is that a malicious end-user
has the possibility of brute-forcing the rabbitmq user database by
tampering with the client JS code running in his browser, as currently it's
the only entry point where "real" credentials can be introduced.

Another issue with this approach is that a whole new server module is
needed for handling ticketing, token generation, user access determination
based on pulling data from rabbitmq user database or from LDAP, all of this
adding unnecessary overhead to the entire design, and still not assuring
proper security.

Your plan involves using basic HTTP authentication. How is this really
> more secure than using temporary tokens to programmatically obtain a pair
> of credentials?
>

In the design that I suggest, the weaknesses of the HTTP basic auth are
irrelevant as the rabbitmq instance running Cowboy will be invisible to the
outside world, and also the end-user has no direct access to the entry
point where "real" credentials are introduced:

1. From client JS code any user/password can be introduced in the SockJS
connect string, the exact values are totally irrelevant as these will be
later overwritten, with no end-user possibility of influencing the process
overwriting them;

2. The websocket HTTP handshake request reaches Nginx, which then takes the
CN field from the client certificate, attaches it as a HTTP header to the
request and forwards it to an internal rabbitmq instance, which is hidden
from the outside world.

3. The Web-STOMP plugin overwrites the user-supplied values with those from
the header before forwarding them to the STOMP processor for final
authentication on rabbitmq.

4. ???????

5. PROFIT!!
Authentication takes place completely transparently to the user.

What were the exact steps you performed? R16B02 should be plenty sufficient
> for Cowboy and Rabbit. To build web-stomp, clone the umbrella, `make up` in
> it, then cd rabbitmq-web-stomp and run `make`.
>

That's exactly what I did. Just tried it again, and still the same outcome:

../cowboy-wrapper/cowboy-git/src/cowboy_clock.erl: undefined parse
transform 'eunit_autoexport'
make: *** [../cowboy-wrapper/ebin/cowboy_clock.beam] Error 1

The Google group is just a way for start a conversation
> w/o signing up. Join rabbitmq-discuss proper.
>

The problem seems to be that I joined the group from the Google Groups, and
not from Rabbitmq site. I have now registered there, too, so hopefully this
message will show up properly.

Thanks!
Andy.

On Thu, Jun 19, 2014 at 10:12 PM, Michael Klishin <mklishin at gopivotal.com>
wrote:

>
>
> On 19 June 2014 at 19:47:28, Andrei (andrei002 at gmail.com) wrote:
> > > Well it won't need that much support as the changes are minimal
> > and impact just a few lines of code in two source files, and also
> > it'll be just a temporary solution till proper support for SSL
> > client auth will be implemented :)
>
> There is nothing more permanent than temporary solutions in software.
> We cannot later tell our commercial customers "you know guys, that feature
> that your app is built on, it was temporary. Good luck with upgrading!"
>
> > > * It may also run into limitations in SockJS
> >
> > What kind of limitations do you mean here?
>
> I can't name any specific one without trying to implement the thing but
> I assure you APIs don't always provide exactly what you want :)
>
> > > So I'd recommend combining HTTPS connection with credentials
> > obtained from an HTTPS endpoint in your JS application.
> >
> > We have considered this approach, however the problem is that
> > the JS code initiating the websocket connection runs in the user's
> > web browser, and this makes such kind of solutions rather insecure.
> > On the other side using client certificate data for authentication
> > is both secure and happens completely transparently to the end-user.
>
> HTTPS should give you a reasonable protection from tampering and MITM.
> Making your credentials user-specific and "tokens" that you use to obtain
> "real" credentials ephemeral should protect reasonably well from malicious
> users.
>
> > So, I'd be very grateful if you could take a closer look at the solution
> > I've previously suggested and provide some hints on which changes
> > should be applied to the sockjs-erlang-wrapper and web-stomp
> > source in order to implement it.. unfortunately I'm having a
> > bit of a hard time figuring out where exactly to add that additional
> > HTTP header processing code..
>
> Your plan involves using basic HTTP authentication. How is this really
> more secure than using temporary tokens to programmatically obtain a pair
> of credentials?
>
> > Another issue I ran into playing with this is an error showing
> > up when trying to compile the original web-stomp plugin from
> > the rabbitmq-public-umbrella:
> >
> > ../cowboy-wrapper/cowboy-git/src/cowboy_clock.erl: undefined
> > parse transform 'eunit_autoexport'
> > make: *** [../cowboy-wrapper/ebin/cowboy_clock.beam] Error
> > 1
> >
> > Could you please shed some light on this? I've checked out the
> > latest rabbitmq-public-umbrella and my Erlang version is R16B02.
>
> What were the exact steps you performed? R16B02 should be plenty sufficient
> for Cowboy and Rabbit. To build web-stomp, clone the umbrella, `make up`
> in it,
> then cd rabbitmq-web-stomp and run `make`.
>
> > > P.S.: Although you have CCd rabbitmq-discuss group in the previous
> > messages, somehow these are not visible to me on the Rabbitmq-discuss
> > Google Group. Are there some viewing or access restrictions
> > set up?
>
> The Google group is just a way for start a conversation
> w/o signing up. Join rabbitmq-discuss proper.
> --
> MK
>
> Software Engineer, Pivotal/RabbitMQ
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140620/bdb381ee/attachment.html>


More information about the rabbitmq-discuss mailing list