[rabbitmq-discuss] custom exchange checking auth user

Dmitry Andrianov dmitry.andrianov at alertme.com
Fri Jun 20 15:45:27 BST 2014


Uh, oh. You will criticize my idea :)

So there is a custom auth backend that extract something from client's 
SSL certificate and puts it into user's impl.
Client is obliged to also provide the same information in AMQP headers.
This is done because our server app also needs that data and by the time 
message reaches it, there is no SSL anymore.

Since client may put whatever it likes in the header, I want that 
RabbitMQ that accepts the message did the validation - compare that 
value in the header and the value from user.impl (extracted from SSL 
cert) are the same or reject the message otherwise.

So we do not trust AMQP headers we receive from the client but we do 
trust the SSL certificate and we do trust AQMP headers after the message 
came through the first Rabbit and was verified.


A am also thinking of relaxing the requirements for the client to add 
that header in the first place - the custom exchange can add it if it is 
missing.
I do understand that it violates AMQP specs but it does not look that 
serious.

Thanks


On 20/06/14 15:28, Simon MacMullen wrote:
> On 20/06/14 15:21, Dmitry Andrianov wrote:
>> can a custom exchange plugin access record of the user that sent the
>> message?
>
> It can't, I'm afraid.
>
> What are you trying to do?
>
> Cheers, Simon
>

This email is for the use of the intended recipient(s) only.
If you have received this email in error, please notify the sender immediately and then delete it.
If you are not the intended recipient, you must not use, disclose or distribute this email without the
author's prior permission. AlertMe.com Ltd. is not responsible for any personal views expressed
in this message or any attachments that are those of the individual sender.

AlertMe.com Ltd, 30 Station Road, Cambridge, CB1 2RE, UK.
Registered in England, Company number 578 2908, VAT registration number GB 895 9914 42.




More information about the rabbitmq-discuss mailing list