[rabbitmq-discuss] Problem with security using STOMP
grzegorz.gebura at gmail.com
Mon Mar 3 09:06:31 GMT 2014
I try to prepare some simple model for sending messages to web browser
using rabbitMQ. I want to use only one exchange with many queues, which
will be created by user connecting by STOMP (exclusive and auto-delete
queues). Queues are bound by random token as routing key and user have to
know this token to read current queue.
I have two problems:
1) user can get login and password and create his own connection and
subscribe to my exchange with # routing key and read all messages. Is there
any possibility to disallow subscribing with # routing key (maybe by
determining user permissions)? I want to use only one user with restricted
permissions (only reading defined exchange and creating auto-deleted,
I don't want to create exchanges per user (this will solve my problem),
because I will have to create and manage users and exchanges by HTTP API.
2) user can subscribe many queues so he can create million of queues and
crush my rabbit server. Can I handle that by limiting queues per connection
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the rabbitmq-discuss