I noticed that when an MQTT Client with the same Client ID as another MQTT Client already connected to Solace, the second client will get "Not authorized to connect (5)" error message. When I tried the same scenario but connect to a different Solace appliance, the second client succeeded in connecting but the first client was disconnected forcefully by Solace. I checked the settings in both appliances but could not find any settings that lead to the different behaviour. Can anyone advise?
When a new client connects to a Solace appliance, and that client uses the same client name as an existing, connected client, you can configure the appliance to either:
reject the new duplicate client’s connection attempt
disconnect the existing client and connect the new, duplicate client
By default, the replacement of duplicate client connections during authentication is enabled on the appliance. To disable the replacement of duplicate client connections during authentication, use the following CONFIG command:
solace(config)# authentication
solace(config-auth)# no replace-duplicate-client-connections
If you are using SolAdmin to manage the appliance, you can change this property by navigating to the User Management tab, and selecting User Authentication from the Select View box. From the box at the right side of the Element Details area, select Manage Global Authentication, and click Execute Task. In the dialog box that appears, you can select or clear the Replace Duplicate Client Connections check box.
Related
I have multiple devices sending messages to a mosquito broker. I would like to manage a kind of device revocation so that when a device is revoked, I want the mosquito broker to automatically close the connection for this specific device.
Is there any command or way to ask the broker to explicitly close a connection to a specific client?
Thanks in advance,
hak
I do not think you can kick an already connected client.
But what you can do if using the Authentication Plugin (either a 3rd party or the included dynamic security plugin) to change the ACL that the user can publish/subscribe to which should effectively stop the client sending or receiving any messages and when it next tries to connect it will not be allowed.
I have registered 3 LDAP Servers in Solace for client authentication using LDAP protocol. I understand that Solace creates a connection pool to handle requests to one of the LDAP Servers. But, I wonder whether the other two LDAP Servers are being used for load balancing purposes (meaning Solace will send LDAP requests to them in the event that the first one is overloaded) or only for backup purposes in case the first one is not accessible.
The additional LDAP servers are configurable for redundancy purposes. The Solace PubSub+ message broker will attempt to connect to the LDAP server in the order of preference based off of the index number. Once connected, the message broker continues to use this connection to authenticate clients until the connection goes down. (e.g. timeout from the far end or a shutdown of the LDAP profile).
MQTT Broker can disconnect the existing client if the following condition is came up.
http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Toc398718090
If the ClientId represents a Client already connected to the Server then the Server MUST disconnect the existing Client
[MQTT-3.1.4-2].
At this time, can broker send any specific message excluding "DISCONNECT" to client before server disconnect the existing client ?
Most brokers are going to follow the spec, if you want one to do something different then you will have to either write your own or modify one of the open source versions.
Currently I need to implement socks client. According RFC, Socks protocol has two main commands: CONNECT and BIND. CONNECT is used to forward an outbound connection from socks' client to desired Server. BIND is used to forward an inbound connection from desired Server to socks' client.
My client work as follows:
Firstly It makes connection to socks Server, let us call it a "client connection".
After that it issues commands.
I have some misunderstanding with a "client connection" utilisation. Hence, I have the following questions:
A "client connection" could be used only for one CONNECTION command, is that right ? So for each desired communication I need to create a new "client connection" and after that issue command CONNECT.
For BINDing, firstly, i need to issue CONNECT and after issue command BIND. These commands must be issued in a one "client connection", am I right ?
How many inbound connections socks server could receive on BIND socket ? Only one ?
How traffic flows in case of BIND is used ? We have a "client connection" to socks server. For the "client connection" socks server has one connection to desired server and one incoming connection from desired server. Hence, socks server could receive data from two connections. How this traffic is mixed to the "client connection"?
Yes.
No. BIND is separate from CONNECT. It is for when you want to listen, so you tell the server to listen on your behalf and tell him what port you're listening on.
Pass.
There is only one connection between the client and the SOCKS server. Everything arriving from the client is sent to the 'desired server'. Everything arriving from the 'desired server' is sent to the client. There is nothing to mix. You wouldn't want the client's sends to be sent back to him, would you?
I use SignalR 1.0.1 as a chat core for ASP.NET MVC3 application. Using IIS 7.5
There are two methods in MVC controller which provides access to chat views:
1. First method is public, allowing anonymous users to chat - no authorization.
2. Access to second method is restricted with [Authorize] attribute, for domain users - chat agents.
There is no explicitly specified authorization in the Hub.
For this scenario I involved both Windows and Anonymous authentication on IIS.
I also implemented custom Role Provider, which operates only in memory - not persisting anything to database.
What happens is that using '[Authorize]' attribute in controller method leads to responsing 500 from Hub, both when call is coming from authorized view, and the anonymous one:
Request (send is Hub method for sending messages):
http://localhost:8101/signalr/send?transport=serverSentEvents&connectionToken=VIXEZzWQSn5SNlA8RUy4iaOPDFdvuPBjMvFBiG2FLfvfxF347XHwtapsEV5ndU4OEI0Xb64W2ZRXTqwBiL2CXg2_JlTaTJ2RnVOj4bjvx6tQaYhAqTaXs9k2853GYqzd0
Response:
The connection id is in the incorrect format.
Server stack trace:
at Microsoft.AspNet.SignalR.PersistentConnection.GetConnectionId(HostContext context, String connectionToken)
at Microsoft.AspNet.SignalR.PersistentConnection.ProcessRequest(HostContext context)
at Microsoft.AspNet.SignalR.Owin.CallHandler.Invoke(IDictionary2 environment)
at Microsoft.AspNet.SignalR.Owin.Handlers.HubDispatcherHandler.Invoke(IDictionary2 environment)
at Microsoft.Owin.Host.SystemWeb.OwinCallContext.Execute()
at Microsoft.Owin.Host.SystemWeb.OwinHttpHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object extraData)<br/><br/>
But notice, that connecting to Hub works fine, returns 200 OK:
http://localhost:8101/signalr/connect?transport=serverSentEvents&connectionToken=dYOwFxa1mkgdpzw-jitRpWq9oxRlrTet8U_dAzWjFQEdGNJfVXeG7Op0NZZwvznxeNdJCuPT75CKzQqI9HRPThV3uEDt-Z2qtIl9E02gF481&connectionData=%5B%7B%22name%22%3A%22chathub%22%7D%5D&tid=9
I found little similiar thread here on stackoverflow:
signalr The connection id is in the incorrect format
from which I understand, that when invoking my Send method, the Hub is processing request with Identity different than the one used to connect to Hub, OR Hub's GetConnectionId finds, that user is actually not authorized - but how it checks that assumption, when there is no authorization specified on the Hub itself?
Can someone put some light on this?
Thanks in advance :)
SignalR signs both your connection id and your Identity together in order to create a new connectionToken every time you start a new connection. This connectionToken is then sent to the SignalR client as part of the negotiate response.
Every time you make a request to SignalR, whether it be a connect, reconnect, or send request, SignalR verifies that your connectionToken matches both your client's connection id AND Identity.
The connectionToken is essentially a CSRF token used in order to prevent attackers running third-party websites from surreptitiously making SignalR requests on behalf of shared clients. Obviously this doesn't help if you've enabled SignalR's cross-domain support, but the connectionToken still works the same in this case.
Taylor's answer was correct. You should stop and then start your SignalR connection when your client's Identity changes. This will force a new negotiate request which will give your client a new connection id with a new connectionToken signed with your client's updated Identity.
P.S. The server-sent events connect request isn't failing because it was established before your client's Identity was changed. The connectionToken is only checked at the request is received, but server-sent events keeps the response open indefinitely.
That's all true what you said and it actually takes place in my issue.
But I also found the the root cause:
One of main assumptions during design was to allow both anonymous users to use the chat without need to sign-in and the back-end users (agents) to sign-in to restricted area of chat using their Windows credentials.
So on the IIS manager I enabled both Anonymous authentication (allowing anonymous users to use the chat) and the Windows authentication (allowing agents to access using their Windows credentials).
MVC application is configured to use Windows authentication - the [Authorize] attribute mentioned in question, but only to restrict access for agent's view of chat.
What actually happens with above configuration is:
1. When client (agent) requests restricted View (let's say it's /Chat/Agent) the [Authorize] attribute initializes authentication (Windows)
2. Client-side Javascript requests Negotiate, what generates connectionId and binds it with client's Windows Identity
3. Here is the tricky part: Because Hub not uses any authentication explicitly, calling send method does not result in any authentication request - IIS Anonymous authentication takes precedency before Windows authentication, and send request is sent with anonymous Identity - but in Hub actual connectionId is related to Identity passed in point 2.
This scenario leads to situation you described - connect is called with different Identity than send and Hub returns The connection id is in the incorrect format.