RPC: Authentication Recipient Validation

#1

Hello,

how can i ensure that the connection between two clients is secure and no one else joins the communication?

I was not able to find a note on how this could be implemented, could you help me to figure out a good way?

For example i have the following scenario:

Client A (ID: 22) wants to start a chat with user Client B (ID: 11)

So Client A double clicks on his name in the public chat room and opens a dedicated private ChatWindow.

Example 1:

Every clients listen to a per user dedicated procedure and recieve a ticket with hash which they can subscribe to communicate to each other

Example 2:

A instance between the clients checks if the two users are authenticated and allowed to communicate

0 Likes

#2

From the documentation i took the following information:

session.subscribe("com.mychatapp.privatechannel.123", printMyEvents, { match: "exact" });

so it would make sense using subscriptions here and create a subscription between Client A and Client B.
But users could still reach this "subscription" by registering with prefix, don't?
session.subscribe("com", printMyEvents, { match: "prefix" });

How am i able to avoid this? Can i disable prefix matching or do i have to overwrite onSubscribe and validate the sessions on my own there?

<details class='elided'>
<summary title='Show trimmed content'>&#183;&#183;&#183;</summary>

Am Donnerstag, 25. Juni 2015 14:38:57 UTC+2 schrieb Florijan Hamzic:
> Hello,
> 

> how can i ensure that the connection between two clients is secure and no one else joins the communication?

> 

> I was not able to find a note on how this could be implemented, could you help me to figure out a good way?

> 

> For example i have the following scenario:

> 

> Client A (ID: 22) wants to start a chat with user Client B (ID: 11)

> 

> So Client A double clicks on his name in the public chat room and opens a dedicated private ChatWindow.

> 

> Example 1:

> Every clients listen to a per user dedicated procedure and recieve a ticket with hash which they can subscribe to communicate to each other

> 

> Example 2:

> A instance between the clients checks if the two users are authenticated and allowed to communicate

</details>
0 Likes

#3

Hi Florijan!

One thing to do would be to use a dynamic authorization component - see http://crossbar.io/docs/Authorization/#dynamic-authorization

Using this, you can allow/disallow subscription requests using dynamic rules. Here you could check the sessionID of the requester and see whether this matches a session belonging to either user A or user B.

Regards,

Alex

···

Am Freitag, 26. Juni 2015 09:48:30 UTC+2 schrieb Florijan Hamzic:

From the documentation i took the following information:

session.subscribe("com.mychatapp.privatechannel.123", printMyEvents, { match: "exact" });

so it would make sense using subscriptions here and create a subscription between Client A and Client B.
But users could still reach this “subscription” by registering with prefix, don’t?

session.subscribe(“com”, printMyEvents, { match: “prefix” });

How am i able to avoid this? Can i disable prefix matching or do i have to overwrite onSubscribe and validate the sessions on my own there?

Am Donnerstag, 25. Juni 2015 14:38:57 UTC+2 schrieb Florijan Hamzic:

Hello,

how can i ensure that the connection between two clients is secure and no one else joins the communication?

I was not able to find a note on how this could be implemented, could you help me to figure out a good way?

For example i have the following scenario:

Client A (ID: 22) wants to start a chat with user Client B (ID: 11)

So Client A double clicks on his name in the public chat room and opens a dedicated private ChatWindow.

Example 1:

Every clients listen to a per user dedicated procedure and recieve a ticket with hash which they can subscribe to communicate to each other

Example 2:

A instance between the clients checks if the two users are authenticated and allowed to communicate

0 Likes