stomp security
4 views
Skip to first unread message
megablue
Nov 17, 2009, 3:14:56 PM11/17/09
to Orbited Discussion
If I understand correctly....
Basically stomp server is just a open message center, any stomp client
can connect to it and anyone can subscribe to a specific channel and
read/write from/to the channel.
How to secure the setup to prevent malicious script from accessing the
Stomp server?
Basically stomp server is just a open message center, any stomp client
can connect to it and anyone can subscribe to a specific channel and
read/write from/to the channel.
How to secure the setup to prevent malicious script from accessing the
Stomp server?
A Monkey
Nov 17, 2009, 3:40:18 PM11/17/09
to orbite...@googlegroups.com
Hi megablue,
You understand the situation correctly. Most messaging systems will
offer some form of authentication and authorization functionality.
MorbidQ does, and I believe that RabbitMQ and QPid do also. Have a
look at what your messaging system says about this.
Thanks,
Desmaj
> --
> You received this message because you are subscribed to the
> Orbited discussion group.
> To post, send email to
> <orbite...@googlegroups.com>
> To unsubscribe, send email to
> <orbited-user...@googlegroups.com>
> For more options, visit
> <http://groups.google.com/group/orbited-users>
You understand the situation correctly. Most messaging systems will
offer some form of authentication and authorization functionality.
MorbidQ does, and I believe that RabbitMQ and QPid do also. Have a
look at what your messaging system says about this.
Thanks,
Desmaj
> You received this message because you are subscribed to the
> Orbited discussion group.
> To post, send email to
> <orbite...@googlegroups.com>
> To unsubscribe, send email to
> <orbited-user...@googlegroups.com>
> For more options, visit
> <http://groups.google.com/group/orbited-users>
Jacob Rus
Nov 17, 2009, 4:22:42 PM11/17/09
to orbite...@googlegroups.com
handle authorization/authentication in any particular way. Each
message queue has its own security configuration, for limiting access
of particular channels to particular authorized users.
For example, here is the page for ActiveMQ:
http://activemq.apache.org/security.html
Here's the code for MorbidQ's auth support:
http://www.morbidq.com/trac/browser/trunk/morbid/mqsecurity.py
Stompserver seems to allow username/password authorization:
http://stompserver.rubyforge.org/
I'm not sure how RabbitMQ deals with this for STOMP clients, but at
least for AMQP clients, there's some description of setting up access
control here: http://www.rabbitmq.com/admin-guide.html#access-control
Does any of that help?
Cheers,
Jacob
Mario Balibrera
Nov 17, 2009, 5:33:46 PM11/17/09
to orbite...@googlegroups.com
Additionally, MorbidQ's RestQ system allows you to prevent users from joining or publishing to channels, or connecting to the server at all, if you don't want them to: http://morbidq.com/trac/wiki/RestQ.
-mario
-mario
megablue
Nov 17, 2009, 10:49:15 PM11/17/09
to Orbited Discussion
Thanks for the pointers... I'm reading those articles... However I
think that Stomp protocol is more complex than traditional server-
client approach.
think that Stomp protocol is more complex than traditional server-
client approach.
Reply all
Reply to author
Forward
0 new messages