Project

General

Profile

WebSocket authentication

Samir Kumar
Added about 4 years ago

Hi,

Please let me know if Tigase supports Websocket authentication. Following is the intent behind this query:

Usually clients should not be allowed to create a websocket connection , unless they have successfully completed authorization process. This is to ensure only valid users are able to create ws connections with the server and hence preventing any denial of service attack issues where in spurious clients can create numerous ws connections without any intent of making use of it.Instead could create denial of service by eating up all the server resources.Atmosphere socketio does provide a token based authentication for websocket creation.

Regards

Samir


Replies (7)

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam about 4 years ago

I am not sure if I correctly understand you, so my comments might not make much sense. Please correct me if I am wrong.

There is no way on the server to prevent application from opening a websockets (or any kind of TCP/IP) connection to the server. If you are talking about authentication, how can the server knows whether the client is authenticated or not if the client is not connected to the server?

That's said, we are aware of possibility of DoS attacks or even DDoS attacks and it does really happen in fact. Therefore, Tigase employs several techniques to reduce impact of such an attack and minimize the risk:

  1. Tigase offers new connections throttling, so there is a maximum number of new connections per second that Tigase accepts. If the threshold is exceeded, the rest of connections is refused.

  2. There is authentication timeout in the server, so the client has certain time to properly authenticate since the connection was opened. If the client does not authenticate within the required time, the connection is then closed

  3. Cluster mode, if Tigase is deployed in several servers then it makes it more difficult to bring the entire service down

  4. Traffic throttling - the Tigase allows you to set limits on the traffic generated by a single user

There are some other mechanisms in Tigase to further improve security. However, if the DDoS attack is properly performed, no service is really secure and can withstand it.

Added by Samir Kumar about 4 years ago

Hi Artur,

First of all thanks for the quick response ( as always) and really appreciate it.

There could be certain scenarios where XMPP web-socket creation can be restricted only to valid users, who have been already authenticated during 1st level authentication using standard or proprietary authentication algorithms. XMPP web-socket authentication could be a 2nd level of authentication for added security.In other-words, XMPP server ( being a back-end server) can only be reached by valid users. This is to protect key back-end nodes ( e.g. XMPP server) from any DDOS attacks by providing multi-layer authentication.

Please let me know, if the above makes sense and it would be great if you could let me know if Tigase could be customized to accommodate authentication process during web-socket handshaking. If yes, please share which class/files or module in Tigase source code can accommodate this logic.

Thanks in advance

Regards

Samir

Added by Samir Kumar about 4 years ago

Hi Artur,

Just wanted to inform you that , I was able to figure out the code location and was able to successfully add the auth. during web-socket handshake code logic.

Regards

Samir

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam about 4 years ago

Samir, you are most likely referring to web application authentication over HTTP with some HTTP service before opening web sockets connection. Then the HTTP service can communicate with Tigase to exchange token for the user, so the user does not have to enter login data 2 times. Yes, Tigase does support this and it is possible.

However, I do not see how it can protect you from a DDoS attack. There is nothing really stoping malicious people from skipping the first step (HTTP authentication) and open TCP/IP connection directly with the XMPP server. Even if they cannot authenticate/login to XMPP server they can still try to drain resources on the XMPP server. As mentioned above, Tigase does have some mechanisms to protect itself and reduce impact of such attacks.

Added by Samir Kumar about 4 years ago

Thanks Artur. Yes , it is almost on the same lines as the auth. over HTTP and your interpretation is correct. Web-socket handshaking is using HTTPS ( GET & 101 Switching prot) and the idea is to use some token based authentication during this handshaking to either allow or don't allow the web-socket to opened based upon the authentication success of failure respectively.

Regards

Samir

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam about 4 years ago

Hm, we do have something like this for Bosh connections. It is called Bosh pretending. You can authenticate client over HTTP, the HTTP server connects with Tigase through a REST API call to obtain authentication tokens, so when a web client connects over Bosh to the Tigase server, it does not have to go through XMPP authentication. However, I am not sure if this is also working for web sockets. Most likely not.

Wojciech should be able to clarify on this.

Added by Samir Kumar about 4 years ago

Thanks Artur. Yes, you are correct as currently the BOSH pretending kind a logic is not available for web sockets.

Regards

Samir

    (1-7/7)