Hi, I’m evaluating crossbar/WAMP for an upcoming project. Now i have two parts of authentication and authorization:
- within the application
In 1) i have to authenticate and authorize any client within my distributed app, booth server side components which provide the app logic and the clients that use them (mobile app, webapp, …). I would like to use certificate based authentication at this point to authenticate components A, B, … and then use dynamic authorization based on their auth-id to allow/deny registering new methods. The client app authenticates with certificates too and may call any (or most) methods provided by the components.
In 2) any remote method must check if a caller provides authentication credentials (in my case a token) and then check if the caller has permissions to perform this action (e.g. requesting a certain file that is protected and must only be accessed by certain users).
I would like to use this architecture mainly because just checking if a client may call a method does not provide enough security (e.g. any user may use the get_file() method but only get files he is allowed to read). As second this provides me with a strict separation of app level users and their permissions and the components involved in my distributed system (e.g. Mobile-App, Administrative-App, File-Management-Component, Permission-Component, …). The later suits very well for a system extensible through third party components that provide some extra functionality too.
Unfortunately then i’m running into problems with the publish subscribe model. As crossbar handles subscribe and publish permissions on the wamp level i can’t grant or deny access to subscribing a topic like .private.example.com which is only for one specific (app level) user.
Is there any way to provide/access additional information in dynamic authorization? As far as i see from the documentation i only get the session, the uri and the action a (wamp level) client wants to invoke, but the session object only holds information on the wamp level authentication id (e.g. Mobile-App). But i would need to provide an additional app-level token which is then used to grant or deny access to the topic. Is there any way to do this?