[rabbitmq-discuss] Web-STOMP plugin - Authentication with SSL Client Certificates

Andrei andrei002 at gmail.com
Wed Jun 18 16:51:56 BST 2014


Hi Michael,

Thanks for the feedback!

I have a few more questions:

1. Is there any possibility for this feature to be implemented in one of
the next releases, in order for Web-STOMP to be fully compatible with STOMP
plugin?

2. In case it is too complex to implement due to lack of client SSL
authentication mechanisms in Cowboy, could it be implemented in the
following way, as a workaround?

a. On Websocket session initiation handshake over HTTP, Cowboy will receive
a HTTP header containing the username/password string from the client
(which in reality will contain the CN field stripped from the client
certificate and appended to the HTTP request by Nginx)

b. This string should probably be extracted from the request somewhere here:
http://hg.rabbitmq.com/sockjs-erlang-wrapper/file/6be67ee815ff/0003-websocket-subprotocol

c. And then sent down the calls as a parameter up to the call of the
rabbitmq_stomp_processor here (
http://hg.rabbitmq.com/rabbitmq-web-stomp/file/c3e862675fac/src/rabbit_ws_client_sup.erl),
or maybe earlier, and replace the username/password arguments of the
CONNECT STOMP command.

Thus, some default username/password strings sent from client JS code will
be replaced with this additional handshake HTTP header which will be sent
by Nginx and contain the CN field of the client certificate.

Unfortunately I'm not an Erlang developer, so much of this is wild
guessing..

Please let me know of your opinion on this approach, and I'd be really
grateful for some assistance with implementing the sockjs-erlang-wrapper
and Web-STOMP part of this solution, in case it looks to be feasible to
you..

Thanks a lot for checking this out!

Best regards,
Andy.

P.S.: Although you have CCd rabbitmq-discuss group in the previous
messages, somehow these are not visible to me on the Rabbitmq-discuss
Google Group. Are there some viewing or access restrictions set up?


On Sat, Jun 14, 2014 at 1:28 AM, Michael Klishin <mklishin at gopivotal.com>
wrote:

> On 14 June 2014 at 02:21:50, Andrei (andrei002 at gmail.com) wrote:
> > > The question is whether the Web-STOMP plugin also has an option
> > like this, i.e. something like:
> > {rabbitmq_web_stomp, [{ssl_cert_login, true}]}
>
> No, it's not currently supported in Web-STOMP .
> --
> MK
>
> Software Engineer, Pivotal/RabbitMQ
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140618/e787957c/attachment.html>


More information about the rabbitmq-discuss mailing list