Contents

Previous topic

Exception Handling

Next topic

The MessageHandler Class

Useful Links

  1. Docs
  2. Authentication Methods

Authentication Methods

The Realm is a WAMP routing and administrative domain, optionally protected by authentication and authorization.

In the WAMP Basic Profile without session authentication the Router will reply with a “WELCOME” or “ABORT” message.

,------.          ,------.
|Client|          |Router|
`--+---'          `--+---'
   |      HELLO      |
   | ---------------->
   |                 |
   |     WELCOME     |
   | <----------------
,--+---.          ,--+---.
|Client|          |Router|
`------'          `------'

The Advanced router Profile provides some authentication options at the WAMP level - although your app may choose to use transport level auth (e.g. cookies or TLS certificates) or implement its own system (e.g. on the remote procedure).

,------.          ,------.
|Client|          |Router|
`--+---'          `--+---'
   |      HELLO      |
   | ---------------->
   |                 |
   |    CHALLENGE    |
   | <----------------
   |                 |
   |   AUTHENTICATE  |
   | ---------------->
   |                 |
   | WELCOME or ABORT|
   | <----------------
,--+---.          ,--+---.
|Client|          |Router|
`------'          `------'

Challenge Response Authentication

WAMP Challenge-Response (“WAMP-CRA”) authentication is a simple, secure authentication mechanism using a shared secret. The client and the server share a secret. The secret never travels the wire, hence WAMP-CRA can be used via non-TLS connections.

wampy needs the secret to be set as an environment variable against the key WAMPYSECRET on deployment or in the test environment (if testing auth) otherwise a WampyError will be raised. In future a Client could take configuration on startup.

The Router must also be configured to expect Users and by what auth method.

For the Client you can instantiate the Client with roles which can take authmethods and authid.

roles = {
    'roles': {
        'subscriber': {},
        'publisher': {},
        'callee': {
            'shared_registration': True,
        },
        'caller': {},
    },
    'authmethods': ['wampcra']  # where "anonymous" is the default
    'authid': 'your-username-or-identifier'
}

client = Client(roles=roles)

And the Router would include something like...

"auth": {
    "wampcra": {
        "type": "static",
        "role": "wampy",
        "users": {
            "your-username-or-identifier": {
                "secret": "prq7+YkJ1/KlW1X0YczMHw==",
                "role": "wampy",
                "salt": "salt123",
                "iterations": 100,
                "keylen": 16,
            },
            "someone-else": {
                "secret": "secret2",
                "role": "wampy",
                ...
            },
            ...
        }
    },
    "anonymous": {
        "type": "static",
        "role": "wampy"
    }
}

with permissions for RPC and subscriptions optionally defined. See the included testing config for a more complete example.

Exception Handling
The MessageHandler Class
© Copyright 2016, simon harrison. Created using Sphinx.