You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2019/11/08 16:12:16 UTC

[GitHub] [pulsar] waxzce opened a new issue #5598: Proxy Websocket authentication using websocket in browser

waxzce opened a new issue #5598: Proxy Websocket authentication using websocket in browser
URL: https://github.com/apache/pulsar/issues/5598
 
 
   Websocket API in a browser does not allow to manage header https://developer.mozilla.org/en-US/docs/Web/API/WebSocket/WebSocket
   
   The authentication using plain HTTP is not possible on this case, and it seems that is what the pulsar implement at the moment https://github.com/apache/pulsar/blob/master/pulsar-websocket/src/main/java/org/apache/pulsar/websocket/AbstractWebSocketHandler.java#L70
   
   There are mainly 4 solutions used out there to authenticate WS:
   
   1. All in the query string (do not want to argue here, seems to be a bad bad idea)
   2. Send a first message after connection containing the auth and close the WebSocket if there is no auth message for X seconds (I'm also not very fan of this)
   3. In the URL, you can add `wss://user:password@pulsarhost/` and it will be treated as HTTP basic auth, a `wss://my_token@pulsarhost/` will be seen as the user ill be the token and the password empty. Can work despite the ugly semantic.
   4. At the opening of browser WebSocket, we can pass on arguments a string array which will be sent as `Sec-WebSocket-Protocol` header and is available downstream to the authImpl, so each auth plugin can manage it. (there is some limitation so using base64 will be mandatory, but easy wrapping)
   
   So, how do you want to manage this? Manage it explicitly on the WebSocket proxy or let people manage? 
   
   My personal opinion is option 4, but if we do that, best will be to make it work on default auth plugin, and add it to the documentation.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services