Hi,
you could have URIs like
com.myapp.notifications.<authid>
plus a dynamic authorizer that checks the URI being subscribed/published
to versus the authid of the session doing so, when authrole=user, and
always allows when authrole=backend.
Cheers,
/Tobias
Am 30.01.2016 um 18:09 schrieb sieben tupel:
> Hi,
>
> are there any best practice policies or advice on the following situation:
>
> In an application each user needs his private channel for incoming
> notifications. In all those channels new messages may be published by a
> set of services provided by the backend which has its own role (or set
> of roles). Publishing to those channels can easily be restricted using
> the authentication role of the backend services and a dynamic
> authentication/authorization mechanism.
> Now, what would be the best way to restrict the users to be able to
> subscribe only to their own channel, assuming all users have the same
> authentication role (e.g. 'user')? Right now i can think of the following
>
> 1. Create a channel with random name for each user, e.g.
> 'com.myapp.notifications.<random_string>'. Each user can access all
> channels by the access restrictions set by the authorization
> service, but a user knows only his own channel. Using brute force to
> subscribe to other channels is very difficult because of the big
> namespace (assuming the string is long and random). Personally i
> don't like this approach very much as it does not give real security
> because it highly depends on trial and error.
>
>
> Can you recommend another way how to realize this in a safe way?
>
> cheers sieben
>
> --
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
crossbario+...@googlegroups.com
> <mailto:
crossbario+...@googlegroups.com>.
> To post to this group, send email to
cross...@googlegroups.com
> <mailto:
cross...@googlegroups.com>.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/crossbario/71d3877a-c7aa-4f8b-8c15-c61b6f664c7a%40googlegroups.com
> <
https://groups.google.com/d/msgid/crossbario/71d3877a-c7aa-4f8b-8c15-c61b6f664c7a%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit
https://groups.google.com/d/optout.