>> 2)
>> Say a session S1 authenticated under role R1 was authorized to
>> subscribe and did actually subscribe to topic T1.
>>
>> Now say the authorization to subscribe to topic T1 is removed from
>> role R1.
>>
>> _New_ sessions authenticating as R1 cannot any longer subscribe to T1.
>>
>> Further, when S1 unsubscribes (itself), and then again tries to
>> subscribe to T1, that will fail.
>>
>> However, when the _existing_ session S1 has an _established_
>> subscription to T1, and _that_ subscription is _not_ kicked by the router.
>>
>> Is that the issue we are talking about?
>
> Yes, this is exactly the issue that I want. I would like a way for S1 to
> be automatically dropped from it's subscription to T1 as soon as S1 is
> no longer allowed to subscribe to T1.
Ok.
First, this would be a feature of a specific WAMP router - not WAMP as a
protocol per-se (but see below).
Then, this feature isn't implemented in Crossbar.io as of today.
There are noteworthy aspects:
1)
Crossbar.io when using a static node configuration (read from
.crossbar/config.json) sets up role permissions, and due to the fact
that the node config is only read at startup, it cannot change anyway.
Changing the permissions of a role in Crossbar.io dynamically is
(partially) already possible today - but not officially supported yet
(the "management API").
2) If you implement a custom WAMP authorizer for use with Crossbar.io
(ping me if it's unclear what I mean), the authorizer is only called for
the initial authorization request ("is this session allowed to subscribe
T1"), might be cached, but in any case (cached or not), changing the
role's permissions afterwards won't kick existing subscriptions (see 1.)
3) When we implement 1./2., there is this issue left: when a session
subscribes, and the session is not authorized, it'll get an error (the
subcsribe fails). This is clear and transparent to the client app.
However, what should happen when the subscription is later revoked? The
client won't notice! This is somehow not satisfying (lack of transparency).
How should we notice a subscribed session that it's subscription has
been revoked?
Cheers,
/Tobias