On 27 August 2015 at 14:51, Rob Nagler <> wrote:
> Hi Andrew,
>
> Thanks for the pseudo-code. It's quite complicated, unfortunately.
It depends on what you are trying to achieve. If you don't want to use
dynamic authorisation, these are the steps you can include:
1. You must register the procedure to be called.
2. If you want information about the caller, you must call the session
meta end-point.
3. You must have your business logic authorise the request.
4. You must handle the request and provide a response.
> When the application programmer hand codes authorization, security holes pop
> up in unexpected places. For example, the code "throw err" above is
> problematic: It exposes an internal problem with authorization. Crossbar
> returns such exceptions literally to the client, e.g.
>
> add err: {"error":"wamp.error.authorization_failed","args":["failed to
> authorize session for calling procedure 'com.example.add':
> ApplicationError('wamp.error.runtime_error', args = ('DETAILS OF THE
> INTERNAL EXCEPTION EXPOSED HERE',), kwargs = {})"],"kwargs":{}}
That's a fair comment, except that the snippet was not intended to
show all of that sort of thing. I dumb the error down before returning
it.
> Another issue is that increasing the call overhead worsens denial of service
> attacks. It is much better if the front-end (Crossbar) denies the service.
Perhaps, but that would require you to compile a plugin or something
into Crossbar itself to be able to do all that.
> The more that that application has to do, the more likely an attacker will
> find ways to penetrate the system.
I don't think that's a reasonable case to make because shifting code
from one place to another doesn't necessarily make it more secure. You
might be lucky, you might not.
> In general, the default authorization should be "no", not "yes".
It is (see Static Authorisation in the docs).
> Without
> integrated authentication/authorization policies built into the framework,
Into the Crossbar framework??
> you end up having to ensure that all endpoints assert the validity of the
> user's role against allowed roles, even if that role is "anonymous".
> As I understand Crossbar, it means I have to write code which traps all requests.
> That basically requires a centralized dispatcher through which all requests
> pass. That's a lot of duplicate effort on the part of all the developers who
> might want to use Crossbar.
I'm not totally clear on what you are suggesting to do, but you
wouldn't do that.
Regards,
Andrew Eddie