Results 1 to 4 of 4
  1. #1

    Lightstreamer subscribe call security

    Hi, we are looking for a push solution for our SmartGwt app.
    As part of that effort we have done a lightstreamer POC, and after playing with it for a while, we have the following question:

    Is there a mechanism to prevent a URL spoofing by merely substituting legitimate ids contained in the GET url of subscribe request, for others, that the client is not supposed to ever see?


    1) Since our grids data is cached on the client, we have to use the actual record keys, rather than physical row id.

    2) In our case, the hacker wouldn't even have to know the actual record keys, the mere fact of an update to someone else's record, never mind it's contents, constitutes a major security breach.

    Please advise.

  2. #2
    Join Date
    Feb 2012
    Hi blin_1,

    As for the issues relating to data authorization and security, we provide simple guidelines in Section 4.1 of this document.
    In this regard, the implementation of some methods of the Metadata Adapter interface allow you to authenticate users and allow subscriptions only from user sessions regularly signed up.

    In addition for your case you could implement in getItems some logic for customized Item names or Item names used only once.

    Finally, have you the possibility to use SSL connections?

  3. #3
    Thank you for the clarification, Giuseppe.
    Looks like the authorization part is what we need.
    The document provided revers to Vivace version - I assume Moderato is the same?
    And yes, we will be using SSL and a session based portal SSO.

  4. #4
    Join Date
    Jul 2006
    Milan, Italy
    Yes, the authentication and authorization part applies to Moderato as well. But SSL is not available on Moderato.



Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
All times are GMT +1. The time now is 05:28 AM.