http bridge authentication/authorization

81 views
Skip to first unread message

Jun

unread,
Apr 5, 2016, 5:08:35 PM4/5/16
to Crossbar
The http bridge is a good feature to use.  (http://crossbar.io/docs/HTTP-Bridge/)

Currently, I register a callback to dynamically authenticate and authorize wamp connections by registering the two authenticator and authorizer callbacks.

How will the dynamic authentication/authorization work for http bridge? (the ticket method is preferred) 

Do you have a sample config.json and sample code? What is required for a http post request to do to be authenticated/authorized? 

Thanks 

Regards,
Jun 
Message has been deleted

Jun

unread,
Apr 11, 2016, 4:53:30 PM4/11/16
to Crossbar
Does anybody have idea if crossbar supports the http bridge authentication? Thanks. 

Tobias Oberstein

unread,
Apr 11, 2016, 5:16:50 PM4/11/16
to cross...@googlegroups.com
Hi,

there are currently 3 things you can do to secure access to the bridge:

You can require TLS: require_tls

You can restrict source IPs: require_ip

Eg see: http://crossbar.io/docs/HTTP-Bridge-Publisher

And you can demand requests to be signed:

http://crossbar.io/docs/HTTP-Bridge-Publisher/#signed-requests

The signature is computed from a pre-shared secret.

Cheers,
/Tobias

Am 11.04.2016 um 22:53 schrieb Jun:
> Does anybody have idea if crossbar supports the http bridge
> authentication? Thanks.
>
> On Tuesday, April 5, 2016 at 2:08:35 PM UTC-7, Jun wrote:
>
> The http bridge is a good feature to use.
> (http://crossbar.io/docs/HTTP-Bridge/
> <http://crossbar.io/docs/HTTP-Bridge/>)
>
> Currently, I register a callback to dynamically authenticate and
> authorize wamp connections by registering the two authenticator and
> authorizer callbacks.
>
> How will the dynamic authentication/authorization work for http
> bridge? (the ticket method is preferred)
>
> Do you have a sample config.json and sample code? What is required
> for a http post request to do to be authenticated/authorized?
>
> Thanks
>
> Regards,
> Jun
>
> --
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to crossbario+...@googlegroups.com
> <mailto:crossbario+...@googlegroups.com>.
> To post to this group, send email to cross...@googlegroups.com
> <mailto:cross...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/crossbario/e458e115-8df3-4c83-b5fb-03f659b817f2%40googlegroups.com
> <https://groups.google.com/d/msgid/crossbario/e458e115-8df3-4c83-b5fb-03f659b817f2%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

Jun

unread,
Apr 14, 2016, 2:28:08 PM4/14/16
to Crossbar
Hello, Tobias: 

Thank you for your reply. I have a few follow-up questions: 


1. How the client should construct the http request with the secrete? for example, should the secrete be put in header, or body? 

2. Different client has different secrete. And how does crossbar programmatically verify requests from different clients? If a registered callback will be called by crossbar to do the authentication, what info will crossbar pass over to the registered callback?

Another question: Does crossbar supports access token (for authorization purpose) for http bridge
If the http request from client contains access tokens, where should the client put the token in the http post requests?  And how does crossbar pass over the access token to either registered authorization callback or a subscriber? 

Thanks

Regards,
Jun 



On Tuesday, April 5, 2016 at 2:08:35 PM UTC-7, Jun wrote:

Jun

unread,
Apr 19, 2016, 8:39:47 PM4/19/16
to Crossbar
Hello, Tobias and everyone:

Can you please help me with the following questions? Thanks


1. How the client should construct the http request with the secrete? for example, should the secrete be put in header, or body? 

2. Different client has different secrete. And how does crossbar programmatically verify requests from different clients? If a registered callback will be called by crossbar to do the authentication, what info will crossbar pass over to the registered callback?

Another question: Does crossbar supports access token (for authorization purpose) for http bridge
If the http request from client contains access tokens, where should the client put the token in the http post requests?  And how does crossbar pass over the access token to either registered authorization callback or a subscriber? 

Thanks

Regards,
Jun 

On Tuesday, April 5, 2016 at 2:08:35 PM UTC-7, Jun wrote:
Reply all
Reply to author
Forward
0 new messages