WAMP.ws : How to manage security and privacy?

StackOverflow https://stackoverflow.com/questions/19845664

Question

I'm using WAMP.ws specifications to design public/private user chatrooms on my website.

My problem comes when I try to keep a list of all connected users. What I could do :

  1. All users subscribe to "/contacts/connections" topic.
  2. When an user connects he publishes a "hello" message with a "user_id" argument, telling other users that he is connected.

--> But how can I trust users ? Any user could send an "Hello" message with a random "user_id" argument.

To me, the server have to do some checks before broadcasting the message. But is it in accordance with WAMP.js specifications ? I've read that a published message is always broadcasted by server.

Another solution could be using an RPC call to connect an user. Actually, I did that for authenticating users. But can the server broadcast an Event to topic "/contacts/connections" by itself ? (after a RPC call, not after "Publish" message) I've read that Event are only the direct result of a "Publish" from client. Moreover, this would not prevent regular users to send event trought "/contacts/connections" topic, which will be broadcasted by the server.

I feel that my two solutions (checking published messages before broadcasting, or broadcast of an event by server after an RPC call) both break WAMP.js specifications. Am I wrong ?

Thank you

Was it helpful?

Solution

WAMP differentiates between

  1. Authentication
  2. Authorization
  3. Validation

Authentication establishes the identity of a WAMP client at a WAMP router.

When using Autobahn|Python to roll your own WAMP router, here are multiple examples showing how to implement different authentication mechanisms.

When using Crossbar.io (an integrated, production ready WAMP router), authentication mechanisms come built in (here).

Authorization determines if a given WAMP client is allowed to perform a WAMP action (like publish or call) on a given URI.

When using Autobahn|Python to roll your own WAMP router, here is an example showing how to implement custom authorization.

Crossbar.io has a builtin static authorization scheme as well as allows to register custom WAMP procedures for authorization (here).

Finally, there is Validation, which checks the application level payload of events or calls.

Here is an example for Autobahn|Python. Crossbar.io will soon allow to register custom WAMP procedures for validation.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top