[rabbitmq-discuss] Web-STOMP plugin - Authentication with SSL Client Certificates

Thu Jun 19 16:47:28 BST 2014

Hi Michael,

 * It will be hard to justify supporting such a homegrown authentication
> scheme
>

Well it won't need that much support as the changes are minimal and impact
just a few lines of code in two source files, and also it'll be just a
temporary solution till proper support for SSL client auth will be
implemented :)

 * It may also run into limitations in SockJS
>

What kind of limitations do you mean here?

So I'd recommend combining HTTPS connection with credentials obtained from
> an HTTPS endpoint in your JS application.
>

We have considered this approach, however the problem is that the JS code
initiating the websocket connection runs in the user's web browser, and
this makes such kind of solutions rather insecure.
On the other side using client certificate data for authentication is both
secure and happens completely transparently to the end-user.

So, I'd be very grateful if you could take a closer look at the solution
I've previously suggested and provide some hints on which changes should be
applied to the sockjs-erlang-wrapper and web-stomp source in order to
implement it.. unfortunately I'm having a bit of a hard time figuring out
where exactly to add that additional HTTP header processing code..

Another issue I ran into playing with this is an error showing up when
trying to compile the original web-stomp plugin from the
rabbitmq-public-umbrella:

../cowboy-wrapper/cowboy-git/src/cowboy_clock.erl: undefined parse
transform 'eunit_autoexport'
make: *** [../cowboy-wrapper/ebin/cowboy_clock.beam] Error 1

Could you please shed some light on this? I've checked out the latest
rabbitmq-public-umbrella and my Erlang version is R16B02.

Also, maybe you missed my last question from last time:

P.S.: Although you have CCd rabbitmq-discuss group in the previous
> messages, somehow these are not visible to me on the Rabbitmq-discuss
> Google Group. Are there some viewing or access restrictions set up?
>

Thank you!

Best regards,
Andy.

On Thu, Jun 19, 2014 at 10:30 AM, Michael Klishin <mklishin at gopivotal.com>
wrote:

> On 18 June 2014 at 19:51:57, Andrei (andrei002 at gmail.com) wrote:
> > > 1. Is there any possibility for this feature to be implemented
> > in one of the next releases, in order for Web-STOMP to be fully
> > compatible with STOMP plugin?
> >
> > 2. In case it is too complex to implement due to lack of client SSL
> > authentication mechanisms in Cowboy, could it be implemented
> > in the following way, as a workaround?
>
> It's possible to add SSL certificate authentication to Web STOMP
> but it may involve upgrading Cowboy and SockJS first => not a trivial
> amount of work.
>
> The workaround you suggest may work but
>
>  * It will be hard to justify supporting such a homegrown authentication
> scheme
>  * It may also run into limitations in SockJS
>
> So I'd recommend combining HTTPS connection with credentials obtained from
> an HTTPS
> endpoint in your JS application. This is not great but largely is the
> state of
> the art in Web messaging authentication. Fairly big Web players recommend
> something
> very similar [1].
>
> 1. https://devcenter.heroku.com/articles/websocket-security
> --
> MK
>
> Software Engineer, Pivotal/RabbitMQ
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140619/7c1ee3fa/attachment.html>