Dynamic authorisation on a URI pattern?

#1

We’ve been making extremely good headway using Crossbar so far but I’ve hit a bit of a snag.

Is it possible to limit dynamic authorisation based on a URI pattern?

What I want to do is have all my RPC’s going through with static authorisation, but I want a caller to be able to subscribe to a procedure like “com.example.feed.”.

What I’d like to be able to do is just have the router dynamically authorise the subscription feed. Ideally I’d be able to do something like this:

{

“name”: “authenticated”,

“permissions”: [

{

  "uri": "*",

  "subscribe": true,

  "call": true

},

{

  "uri": "com.example.feed.*",

  "authorizer": "com.example.authorise"

}

]

},

Is there any way to massage the router configuration to allow that kind of behaviour. I’d prefer not to have to authorise every call because I’m already getting the session meta for every RPC, and having the router call the authoriser is just a waste.

Thanks in advance.

Regards,

Andrew Eddie

0 Likes

#2

Hi Andrew!

Currently dynamic authorization is at a per-role level, i.e. you either have static permissions or the dynamic authoriser.

I see you use case, but I have no idea how difficult this would be to implement in Crossbar, and whether we want the additional complexity in the configuration.

Could you file an issue with Crossbar about this? I think this is worth thinking about.

Regards,

Alex

···

Am Donnerstag, 27. August 2015 09:56:12 UTC+2 schrieb Andrew Eddie:

We’ve been making extremely good headway using Crossbar so far but I’ve hit a bit of a snag.

Is it possible to limit dynamic authorisation based on a URI pattern?

What I want to do is have all my RPC’s going through with static authorisation, but I want a caller to be able to subscribe to a procedure like “com.example.feed.”.

What I’d like to be able to do is just have the router dynamically authorise the subscription feed. Ideally I’d be able to do something like this:

{

“name”: “authenticated”,

“permissions”: [

{
  "uri": "*",
  "subscribe": true,
  "call": true
},
{
  "uri": "com.example.feed.*",
  "authorizer": "com.example.authorise"
}

]

},

Is there any way to massage the router configuration to allow that kind of behaviour. I’d prefer not to have to authorise every call because I’m already getting the session meta for every RPC, and having the router call the authoriser is just a waste.

Thanks in advance.

Regards,

Andrew Eddie

0 Likes

#3

Hi Andrew,

I think this might be https://github.com/crossbario/crossbar/issues/280 ?

Cheers,
/Tobias

···

Am Donnerstag, 27. August 2015 09:56:12 UTC+2 schrieb Andrew Eddie:

We’ve been making extremely good headway using Crossbar so far but I’ve hit a bit of a snag.

Is it possible to limit dynamic authorisation based on a URI pattern?

What I want to do is have all my RPC’s going through with static authorisation, but I want a caller to be able to subscribe to a procedure like “com.example.feed.”.

What I’d like to be able to do is just have the router dynamically authorise the subscription feed. Ideally I’d be able to do something like this:

{

“name”: “authenticated”,

“permissions”: [

{
  "uri": "*",
  "subscribe": true,
  "call": true
},
{
  "uri": "com.example.feed.*",
  "authorizer": "com.example.authorise"
}

]

},

Is there any way to massage the router configuration to allow that kind of behaviour. I’d prefer not to have to authorise every call because I’m already getting the session meta for every RPC, and having the router call the authoriser is just a waste.

Thanks in advance.

Regards,

Andrew Eddie

0 Likes

#4

Hi Andrew,

I think this might be https://github.com/crossbario/crossbar/issues/280 ?

Cheers,
/Tobias

···

Am Donnerstag, 27. August 2015 09:56:12 UTC+2 schrieb Andrew Eddie:

We’ve been making extremely good headway using Crossbar so far but I’ve hit a bit of a snag.

Is it possible to limit dynamic authorisation based on a URI pattern?

What I want to do is have all my RPC’s going through with static authorisation, but I want a caller to be able to subscribe to a procedure like “com.example.feed.”.

What I’d like to be able to do is just have the router dynamically authorise the subscription feed. Ideally I’d be able to do something like this:

{

“name”: “authenticated”,

“permissions”: [

{
  "uri": "*",
  "subscribe": true,
  "call": true
},
{
  "uri": "com.example.feed.*",
  "authorizer": "com.example.authorise"
}

]

},

Is there any way to massage the router configuration to allow that kind of behaviour. I’d prefer not to have to authorise every call because I’m already getting the session meta for every RPC, and having the router call the authoriser is just a waste.

Thanks in advance.

Regards,

Andrew Eddie

0 Likes

#5

Yes, that's close. I'll add a comment to that issue.

Thanks.

Regards,
Andrew Eddie

···

On 28 August 2015 at 05:46, Tobias Oberstein <> wrote:

Hi Andrew,

I think this might be https://github.com/crossbario/crossbar/issues/280 ?

0 Likes