authentication in 0.7
120 views
Skip to first unread message
jiun bookworm
Nov 17, 2013, 12:18:02 PM11/17/13
to sha...@googlegroups.com
Hi,
im building a app with sharejs as the backend for collaboration, one thing i dont quite understand is the way to pass authentication information
in sharejs 0.7, with 0.6 it went into share.open() , but with 0.7, it cant go into BSocket connection, or into window.sharejs.Connection() , i looked
at their definitions and the first takes nothing related to authentication, the second has only one parameter, the socket,
according to this thread :https://groups.google.com/forum/#!topic/sharejs/iDRuyevoHfE authentication is done at the connection level, so these
are the only places i looked, did i miss something? (at least client side,but im a python not coffee programmer) can they be set while getting the document i.e at sjs.get('user','document'...) ?
Jiun
im building a app with sharejs as the backend for collaboration, one thing i dont quite understand is the way to pass authentication information
in sharejs 0.7, with 0.6 it went into share.open() , but with 0.7, it cant go into BSocket connection, or into window.sharejs.Connection() , i looked
at their definitions and the first takes nothing related to authentication, the second has only one parameter, the socket,
according to this thread :https://groups.google.com/forum/#!topic/sharejs/iDRuyevoHfE authentication is done at the connection level, so these
are the only places i looked, did i miss something? (at least client side,but im a python not coffee programmer) can they be set while getting the document i.e at sjs.get('user','document'...) ?
Jiun
Friedel Ziegelmayer
Nov 17, 2013, 6:16:14 PM11/17/13
to sha...@googlegroups.com
I'm implementing a system that does exactly this at the moment. It's a bit late stm for me to go into detail but I'll write up something tomorrow to let you know how this can be done.
Cheers
dignifiedquire
--
You received this message because you are subscribed to the Google Groups "ShareJS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sharejs+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
jiun bookworm
Nov 21, 2013, 12:59:00 PM11/21/13
to sha...@googlegroups.com
On Monday, November 18, 2013 2:16:14 AM UTC+3, Friedel Ziegelmayer wrote:
I'm implementing a system that does exactly this at the moment. It's a bit late stm for me to go into detail but I'll write up something tomorrow to let you know how this can be done.Cheersdignifiedquire
Hi dignifiedquire,
thanks for for looking at this, any news on the writeup?
cheers.
Jiun
thanks for for looking at this, any news on the writeup?
cheers.
Jiun
aslak hellesoy
Nov 21, 2013, 1:12:52 PM11/21/13
to sha...@googlegroups.com
On Thu, Nov 21, 2013 at 5:59 PM, jiun bookworm <thebook...@gmail.com> wrote:
On Monday, November 18, 2013 2:16:14 AM UTC+3, Friedel Ziegelmayer wrote:I'm implementing a system that does exactly this at the moment. It's a bit late stm for me to go into detail but I'll write up something tomorrow to let you know how this can be done.CheersdignifiedquireHi dignifiedquire,
thanks for for looking at this, any news on the writeup?
cheers.
Jiun
Here is another one who would greatly appreciate some info on this.
Aslak
Friedel Ziegelmayer
Nov 21, 2013, 2:52:33 PM11/21/13
to sha...@googlegroups.com, aslak hellesoy
Sorry guys, I set out to do it Monday morning, but then a little shit storm happened at my company and I didn't get to it :/
I'll try to give you a quick overview of what I'm doing. If you want to know more details just ask.
Before I begin, I want to say that I am no security expert so please don't take this with caution.
As of 0.7 sharejs does not provide any way of socket connection as the case was previous, so you have to roll your own. This makes things a lot more flexible and easier in my opinion and works very well. I'm using sockjs [1] as the underlying library to actually create a socket connection. To make this work you have to use transport-adapters [2] and my fork of sharejs [3] which will be merged hopefully soon. The transport adapters repository has a simple working example on how to set up a basic connection without authentication in examples/sockjs.
So establishing a connection with sharejs on the server are two parts:
1. Establish a socket connection with sockjs.
2. Attach the socket connection to sharejs using the specified transport-adapter.
On the client there are two parts as well and the only difference is that there is no need for a transport-adapter.
For adding the first layer of authentication I use the gap between steps 1 and 2.
After the socket connection is established I sent as a first message a json object that identifies the client as having a valid session. If the first message that the server receives is not this object or the session is invalid the connection is terminated.
If the session checks out I add it to a list of connections, save the credentials under the connection id, make a note that it is a valid connection and send the client a message saying that it was authenticated. Only now the server and the client give the connection to sharejs.
The second layer of security is added using the new middleware feature of sharejs.
On the "connect", "subscribe", "fetch" and "submit" events I check using the saved credentials (looked up via the connection id) if the action is allowed for the given user and if not return an error/terminate the connection.
I hope this helps a bit, and if you have suggestion how this can be improved I'm happy to hear them.
Cheers
dignifiedquire
[1] http://sockjs.org/
[2] https://github.com/dignifiedquire/transport-adapters
[3] https://github.com/share/ShareJS/pull/271
--
dignifiedquire
On November 21, 2013 at 7:13:13 PM, aslak hellesoy (aslak.h...@gmail.com) wrote:
I'll try to give you a quick overview of what I'm doing. If you want to know more details just ask.
Before I begin, I want to say that I am no security expert so please don't take this with caution.
As of 0.7 sharejs does not provide any way of socket connection as the case was previous, so you have to roll your own. This makes things a lot more flexible and easier in my opinion and works very well. I'm using sockjs [1] as the underlying library to actually create a socket connection. To make this work you have to use transport-adapters [2] and my fork of sharejs [3] which will be merged hopefully soon. The transport adapters repository has a simple working example on how to set up a basic connection without authentication in examples/sockjs.
So establishing a connection with sharejs on the server are two parts:
1. Establish a socket connection with sockjs.
2. Attach the socket connection to sharejs using the specified transport-adapter.
On the client there are two parts as well and the only difference is that there is no need for a transport-adapter.
For adding the first layer of authentication I use the gap between steps 1 and 2.
After the socket connection is established I sent as a first message a json object that identifies the client as having a valid session. If the first message that the server receives is not this object or the session is invalid the connection is terminated.
If the session checks out I add it to a list of connections, save the credentials under the connection id, make a note that it is a valid connection and send the client a message saying that it was authenticated. Only now the server and the client give the connection to sharejs.
The second layer of security is added using the new middleware feature of sharejs.
On the "connect", "subscribe", "fetch" and "submit" events I check using the saved credentials (looked up via the connection id) if the action is allowed for the given user and if not return an error/terminate the connection.
I hope this helps a bit, and if you have suggestion how this can be improved I'm happy to hear them.
Cheers
dignifiedquire
[1] http://sockjs.org/
[2] https://github.com/dignifiedquire/transport-adapters
[3] https://github.com/share/ShareJS/pull/271
--
dignifiedquire
On November 21, 2013 at 7:13:13 PM, aslak hellesoy (aslak.h...@gmail.com) wrote:
jiun bookworm
Nov 22, 2013, 10:28:33 AM11/22/13
to sha...@googlegroups.com, aslak hellesoy
Thanks for the reply. just a few clarifications first,
If the session checks out I add it to a list of connections, save the credentials under the connection id, make a note that it is a valid connection and send the client a message saying that it was authenticated. Only now the server and the client give the connection to sharejs.
this sounds interesting, iv not worked with sockjs before, but i heard scaling this can be (in most instances) easy as adding new nodes, how does this method scale beyond a single machine?
would this be made possible by having a separate session store that can be used for this check?
The second layer of security is added using the new middleware feature of sharejs.
On the "connect", "subscribe", "fetch" and "submit" events I check using the saved credentials (looked up via the connection id) if the action is allowed for the given user and if not return an error/terminate the connection.
doing the check on each call of these methods looks expensive, does this move beyond a single node?, is this lookup against a db in memory or on disk?
One more thing:
Iv seen browserchannel being used in some of the examples on 0.7, is there any explicit encouragement on which one to use between sockjs and browserchannel?
what is the biggest difference in your opinion? (and which one would you trust in a multinode environment?)
Can browserchannel also do something similar to what you have described? I can add a nodejs connect middleware to look at stuff like cookies before browserchannel sees the request, but im not sure i can have access to the request object inside borwserchannel to do some of the fancy checks that you have.
Jiun.
Friedel Ziegelmayer
Nov 22, 2013, 3:19:49 PM11/22/13
to sha...@googlegroups.com, jiun bookworm
RE: Scaling Sockjs
Here [1] you can find some information on that. In short you just use a websocket capable load balancer and then let it to its work. (Waring elb on aws is not websocket friendly!)
RE: Security Checks
These checks are done against another server, the result is stored in memory and then periodically refreshed.
RE: Browserchannel
I really dislike it for the simple reason that I had more trouble with it then necessary but aside from that there is a simple reason to use SockJS over Browserchannel and that is Browserchannel does not provide a real socket connection. SockJS will use real websockets when available. So if you your target market runs a fairly recent browser it is much more efficient.
I'm pretty sure you can somehow find the connection id from a Browserchannel connection if you look in the source code but I haven't tried that.
Cheers
dignifiedquire
[1] https://github.com/sockjs/sockjs-client/wiki/%5BArticle%5D-SockJS:-WebSocket-emulation-done-right#load-balancing-story
--
dignifiedquire
Here [1] you can find some information on that. In short you just use a websocket capable load balancer and then let it to its work. (Waring elb on aws is not websocket friendly!)
RE: Security Checks
These checks are done against another server, the result is stored in memory and then periodically refreshed.
RE: Browserchannel
I really dislike it for the simple reason that I had more trouble with it then necessary but aside from that there is a simple reason to use SockJS over Browserchannel and that is Browserchannel does not provide a real socket connection. SockJS will use real websockets when available. So if you your target market runs a fairly recent browser it is much more efficient.
I'm pretty sure you can somehow find the connection id from a Browserchannel connection if you look in the source code but I haven't tried that.
Cheers
dignifiedquire
[1] https://github.com/sockjs/sockjs-client/wiki/%5BArticle%5D-SockJS:-WebSocket-emulation-done-right#load-balancing-story
--
dignifiedquire
jiun bookworm
Nov 22, 2013, 4:34:16 PM11/22/13
to sha...@googlegroups.com
Ok, dont be bothered, here are a few more
Here [1] you can find some information on that. In short you just use a websocket capable load balancer and then let it to its work.
thanks thats good news
RE: Security Checks
These checks are done against another server,
This has to be done almost at a keystroke by keystroke level, does this not
affect performance (if 20 guys are typing 50 words a min you will have 50*20*No.of.Letters.per.word requests on authentication if i have understood you right, i thought by default a user cannot submit to a document they did not originally open and subscribe to, so i would have not covered this angle before your comment, or did i assume that incorrectly?).
Or is Nodejs fast enough to handle this gracefully without any (human) perceivable slowdown?
RE: Browserchannel
I'm pretty sure you can somehow find the connection id from a Browserchannel connection if you look in the source code but I haven't tried that.
ok, i think i found a way to access sessionId with it, but im probably going to end up using sockjs now, but let me give it a try first.
Cheers
dignifiedquire
Thanks
Jiun
Reply all
Reply to author
Forward
0 new messages