Last post Oct 23, 2013 03:19 PM by midgetspy
Oct 22, 2013 08:03 PM|midgetspy|LINK
I have a hub which needs to send out messages to only those clients which are authorized to receive them. Using groups for this would be a perfect solution except that the docs explicitly say not to use groups for security. Is there a recommended pattern
for this? Checking authorization on connect and tracking authorized connection IDs on the server side then manually sending messages only to the authorized connection IDs seems like a roundabout way to go about it.
This blog entry says that groups are round-tripped with the client and thus can't be used for security, but in the next sentence mentions that groups sent
from the client to server are ignored by default. Doesn't this mean that I could do an authorization before allowing the client to join the group and then use the group for security after that point?
Thanks in advance.
Oct 23, 2013 12:23 PM|davidfowl|LINK
Ya, that blog entry is old and talks about SignalR 0.5.3, we're at 2.0 now. Groups are signed and encrypted so you can be sure that a client was added to a particular group from the signalr server. The extra security you would need to add is to make sure
that connections are still in the groups they claim to be in (as we don't ever expire group membership).
You can learn more about groups here:
Oct 23, 2013 03:19 PM|midgetspy|LINK
Thanks David, that's perfect. The
official site is where I originally read "do not use groups as security", is that advice outdated?