[rabbitmq-discuss] Problem with security using STOMP

Michael Klishin michael.s.klishin at gmail.com
Mon Mar 3 10:03:11 GMT 2014


2014-03-03 13:06 GMT+04:00 Grzegorz Gębura <grzegorz.gebura at gmail.com>:

> 1) user can get login and password and create his own connection and
> subscribe to my exchange with # routing key and read all messages. Is there
> any possibility to disallow subscribing with # routing key (maybe by
> determining user permissions)? I want to use only one user with restricted
> permissions (only reading defined exchange and creating auto-deleted,
> exclusive queues).
> I don't want to create exchanges per user (this will solve my problem),
> because I will have to create and manage users and exchanges by HTTP API.
>

See http://www.rabbitmq.com/access-control.html


> 2) user can subscribe many queues so he can create million of queues and
> crush my rabbit server. Can I handle that by limiting queues per connection
> or exchange?
>

There is no such limit. Channels/queues/exchanges can be monitored over
HTTP API (which is what hosted RabbitMQ
solutions use), which also allows you to forcefully close connections:

http://www.rabbitmq.com/management.html
http://hg.rabbitmq.com/rabbitmq-management/raw-file/rabbitmq_v3_2_3/priv/www/api/index.html
-- 
MK

http://github.com/michaelklishin
http://twitter.com/michaelklishin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140303/a37bf117/attachment.html>


More information about the rabbitmq-discuss mailing list