[rabbitmq-discuss] Web-STOMP plugin - Authentication with SSL Client Certificates

Michael Klishin mklishin at gopivotal.com
Thu Jun 19 08:30:42 BST 2014

On 18 June 2014 at 19:51:57, Andrei (andrei002 at gmail.com) wrote:
> > 1. Is there any possibility for this feature to be implemented  
> in one of the next releases, in order for Web-STOMP to be fully  
> compatible with STOMP plugin?
> 2. In case it is too complex to implement due to lack of client SSL  
> authentication mechanisms in Cowboy, could it be implemented  
> in the following way, as a workaround?

It's possible to add SSL certificate authentication to Web STOMP
but it may involve upgrading Cowboy and SockJS first => not a trivial amount of work.

The workaround you suggest may work but

 * It will be hard to justify supporting such a homegrown authentication scheme
 * It may also run into limitations in SockJS

So I'd recommend combining HTTPS connection with credentials obtained from an HTTPS
endpoint in your JS application. This is not great but largely is the state of
the art in Web messaging authentication. Fairly big Web players recommend something
very similar [1].

1. https://devcenter.heroku.com/articles/websocket-security  

Software Engineer, Pivotal/RabbitMQ

More information about the rabbitmq-discuss mailing list