You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2015-08-18 14:40:57
- ulutepe
- Member
- Registered: 2014-05-23
- Posts: 6
Stucked on encryption over websockets
in your 31 - WebSockets samples with both chat and longwork project i tried to use encryption over http and couldn't find how to
encrypt my request and responses. simply i changed chat server run method like this
...
Server := TSQLRestServerFullMemory.CreateWithOwnModel([]);
try
Server.CreateMissingTables;
Server.ServiceDefine(TChatService, [IChatService], sicShared).
SetOptions([], [optExecLockedPerInterface]). // thread-safe fConnected[]
ByPassAuthentication := true;
HttpServer := TSQLHttpServer.Create('8888', [Server], '+', useBidirSocket, 32, secSynShaAes);
try
HttpServer.WebSocketsEnable(Server, PROJECT31_TRANSMISSION_KEY).
Settings.SetFullLog; // full verbose logs for this demo
CompressShaAesSetKey('asdqwe123', TAESECB);
...
then client run method like this
....
Client := TSQLHttpClientWebsockets.Create('127.0.0.1', '8888', TSQLModel.Create([]));
try
Client.Compression := [hcSynShaAes];
Client.Model.Owner := Client;
Client.WebSocketsUpgrade(PROJECT31_TRANSMISSION_KEY);
CompressShaAesSetKey('asdqwe123', TAESECB);
if not Client.ServerTimeStampSynchronize then
raise EServiceException.Create(
'Error connecting to the server: please run Project31ChatServer.exe');
Client.ServiceDefine([IChatService], sicShared);
if not Client.Services.Resolve(IChatService, Service) then
raise EServiceException.Create('Service IChatService unavailable');
.....
then i used broser like this
http://localhost:8888/root/ChatService/blabla?pseudo=Browser&msg=Test%20Message
result: message "Test Message" sended to all clients
questions
1- how can i prevent broswer or un authorized service calls like browser call above. because each call creates a null callback interface so that is
a bit security issue for everyone.
2- is there any other ways using callbacks with your servers except websocket
3- is there any way to learn client ip from your rest servers?. all servicecontext.request.call.inhead is empty.
thank you
Offline
#2 2015-08-18 18:58:52
Re: Stucked on encryption over websockets
Once you switched to WebSockets, there is no HTTP link any more.
The Client.Compression field is not used at all.
Therefore, once you switched to WebSockets, it uses its own encryption, for the binary protocol.
For JSON/Ajax protocol, there is no encryption possible, in the WebSockets protocol itself.
Offline
#3 2015-08-19 08:36:09
- ulutepe
- Member
- Registered: 2014-05-23
- Posts: 6
Re: Stucked on encryption over websockets
so never mind encryption. i need this answers
--------------------
i used browser on your chat sampe like this
http://localhost:8888/root/ChatService/blabla?pseudo=Browser&msg=Test%20Message
result: message "Test Message" sended to all clients
questions
1- how can i prevent broswer or un authorized service calls like browser call above. because each call creates a null callback interface so that is
a big security issue for everyone.
2- is there any other ways using callbacks with your servers except websocket
3- is there any way to learn client ip from your rest servers?. all servicecontext.request.call.inhead is empty.
---
Offline
#4 2015-08-19 10:49:18
Re: Stucked on encryption over websockets
1. You may add a verification step before registering each client browser, once upgraded to WebSockets.
You may use our interface-based services, and its session abilities, if you do not want to reinvent the wheel. It would create a session, then sign each WebSocket frame with its private signature.
2. Direct execution would call the callback directly.
But for remote execution, we only provide WebSockets support yet.
What other protocol did you espect?
3. There is no direct way yet, AFAIR.
Any contribution is welcome.
Offline
Pages: 1