[rabbitmq-discuss] Problem with security using STOMP

Grzegorz Gębura grzegorz.gebura at gmail.com
Mon Mar 3 09:06:31 GMT 2014


Hello everyone,

I try to prepare some simple model for sending messages to web browser 
using rabbitMQ. I want to use only one exchange with many queues, which 
will be created by user connecting by STOMP (exclusive and auto-delete 
queues). Queues are bound by random token as routing key and user have to 
know this token to read current queue.
I have two problems:
1) user can get login and password and create his own connection and 
subscribe to my exchange with # routing key and read all messages. Is there 
any possibility to disallow subscribing with # routing key (maybe by 
determining user permissions)? I want to use only one user with restricted 
permissions (only reading defined exchange and creating auto-deleted, 
exclusive queues).
I don't want to create exchanges per user (this will solve my problem), 
because I will have to create and manage users and exchanges by HTTP API.
2) user can subscribe many queues so he can create million of queues and 
crush my rabbit server. Can I handle that by limiting queues per connection 
or exchange?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140303/0ff2c8b8/attachment.html>


More information about the rabbitmq-discuss mailing list