D
D
Denis Bondar2018-09-13 17:04:22
PHP
Denis Bondar, 2018-09-13 17:04:22

How to authenticate application user when connecting to RabbitMQ via WEB-STOMP protocol?

Initial data
Given: WEB-application in PHP with a frontend in JS, as well as RabbitMQ, which is also used as a websocket server operating via the STOMP protocol (web-stomp-plugin).
The interaction scheme is standard: the front-end application, using stomp.js, connects to RabbitMQ, logging in with a login and password. On RabbitMQ, fanout type exchanges are created for each registered user of the web application - they are used to send push messages towards the frontend. The frontend immediately connects to RabbitMQ after loading, creates a temporary auto-kill queue and connects it to a specific exhange associated with the current user of the web application. Now, if the backend sends a message to the user's exchange, it will immediately go to all queues connected to it and will be transferred to the frontend side using the stomp protocol. This circuit works great.
Problem
The fact is that having studied the source js code on the frontend or the traffic, you can find the login and password for connecting to RabbitMQ, as well as the name of the exchange to which the queue created by the frontend is connected. Having this data, you can connect to RabbitMQ without authorization, as well as create a queue and connect it to any exchange, intercepting information that is intended for other users.
Question
How can I organize access to a specific exchange only within a known session? Or in some other way? Surely there are standard solutions to this security issue, implemented by means in RabbitMQ.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
B
Boris Korobkov, 2018-09-13
@denisbondar

Only the backend (PHP) should create queues. It also issues unique IDs (for example, session_id or md5) to the client. Next, the client connects to the previously created queue with this ID.
Theoretically, a client can brute force queues, but you can calculate how many possible combinations there will be.
PS Login / password on the client does not make sense to use, because it is easily intercepted anyway.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question