Closed ngoossens closed 5 years ago
@ngoossens Please sign the Contributor License Agreement!
Click here to manually synchronize the status of this Pull Request.
See the FAQ for frequently asked questions.
@ngoossens Thank you for signing the Contributor License Agreement!
@ngoossens thank you for taking the time to contribute. How would you go about testing this scenario? I can add an integration test but I need to understand what your clients do (and ideally also why).
Anything related to optional authentication makes me wonder if it's a good idea. I know, STOMP supports it already 🤷♂️
@michaelklishin, thanks for your reply.
We have an application where we create subscriptions to variables published from a service via RabbitMQ. Some of these variables are accessible without a login (e.g. server time) and others are not. When opening the web application, before logging in, we would like to create subscription to the publicly accessible variables using the default user. Later once the user has logged in we would use their new credentials to subscribe to all the available variables.
This is technically possibly with the current code but in a convoluted way. If you set use_http_auth
to true
in advanced.config
WebSTOMP will read the HTTP Authorization header for credentials and fall back to the default login if no Authorization header is provided (ignoring any credentials sent using the CONNECT
frame). Based on my reading of the STOMP specification this should also be possible using a CONNECT
frame without any HTTP headers, but it is currently not.
An integration test would have a few parts. The following would have use_http_auth
set to false
.
default_login
configured:
1.1. Over a WebSocket send a CONNECT
frame that includes valid credentials and expect that user to be authenticated.
1.2. Over a WebSocket send a CONNECT
frame omitting any credentials and expect that the default login is used.default_login
configured:
2.1. Over a WebSocket send a CONNECT
frame that includes valid credentials and expect that user to be authenticated.
2.2. Over a WebSocket send a CONNECT
frame omitting any credentials and expect the connection to fail.@ngoossens thanks. I will look into adding a few tests. If the team agrees this can go into 3.7.15 the earliest.
Thanks @michaelklishin. No rush, we can use a custom compiled version for now. Please let me know if I can assist in any way.
Tests added in #112. Thanks again @ngoossens 👍👍.
When the STOMP
default_login
is set and aCONNECT
frame is sent via a WebSocket without credentials the connection fails with bad login. This is becauserabbitmq-web-stomp
does not forward thedefault_login
torabbitmq-stomp
as part of the state.If
use_http_auth
is set totrue
this state is passed torabbitmq-stomp
but then the credentials in theCONNECT
frame are ignored and thedefault_login
is always used if no HTTP Authorization header is set.This pull request slightly modifies the flow to also send the
default_login
torabbitmq-stomp
even ifuse_http_auth
isfalse
. In this way one can use aCONNECT
frame both with credentials and without (falling back to the default user if configured).