[rabbitmq-discuss] Web-STOMP plugin - Authentication with SSL Client Certificates

Michael Klishin mklishin at gopivotal.com
Thu Jun 19 20:12:39 BST 2014

On 19 June 2014 at 19:47:28, Andrei (andrei002 at gmail.com) wrote:
> > Well it won't need that much support as the changes are minimal  
> and impact just a few lines of code in two source files, and also  
> it'll be just a temporary solution till proper support for SSL  
> client auth will be implemented :)

There is nothing more permanent than temporary solutions in software.
We cannot later tell our commercial customers "you know guys, that feature
that your app is built on, it was temporary. Good luck with upgrading!"

> > * It may also run into limitations in SockJS
> What kind of limitations do you mean here?

I can't name any specific one without trying to implement the thing but
I assure you APIs don't always provide exactly what you want :)

> > So I'd recommend combining HTTPS connection with credentials  
> obtained from an HTTPS endpoint in your JS application.
> We have considered this approach, however the problem is that  
> the JS code initiating the websocket connection runs in the user's  
> web browser, and this makes such kind of solutions rather insecure.  
> On the other side using client certificate data for authentication  
> is both secure and happens completely transparently to the end-user.  

HTTPS should give you a reasonable protection from tampering and MITM.
Making your credentials user-specific and "tokens" that you use to obtain
"real" credentials ephemeral should protect reasonably well from malicious

> So, I'd be very grateful if you could take a closer look at the solution  
> I've previously suggested and provide some hints on which changes  
> should be applied to the sockjs-erlang-wrapper and web-stomp  
> source in order to implement it.. unfortunately I'm having a  
> bit of a hard time figuring out where exactly to add that additional  
> HTTP header processing code..

Your plan involves using basic HTTP authentication. How is this really
more secure than using temporary tokens to programmatically obtain a pair
of credentials? 

> Another issue I ran into playing with this is an error showing  
> up when trying to compile the original web-stomp plugin from  
> the rabbitmq-public-umbrella:
> ../cowboy-wrapper/cowboy-git/src/cowboy_clock.erl: undefined  
> parse transform 'eunit_autoexport'
> make: *** [../cowboy-wrapper/ebin/cowboy_clock.beam] Error  
> 1
> Could you please shed some light on this? I've checked out the  
> latest rabbitmq-public-umbrella and my Erlang version is R16B02.  

What were the exact steps you performed? R16B02 should be plenty sufficient
for Cowboy and Rabbit. To build web-stomp, clone the umbrella, `make up` in it,
then cd rabbitmq-web-stomp and run `make`.

> > P.S.: Although you have CCd rabbitmq-discuss group in the previous  
> messages, somehow these are not visible to me on the Rabbitmq-discuss  
> Google Group. Are there some viewing or access restrictions  
> set up?

The Google group is just a way for start a conversation
w/o signing up. Join rabbitmq-discuss proper.

Software Engineer, Pivotal/RabbitMQ

More information about the rabbitmq-discuss mailing list