Android MQTT 安全 - 如何防止滥用者订阅主题?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10057189/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
MQTT Security - how to prevent abusers subscribing to topics?
提问by Daniel Guillamot
I've got everything setup and working for MQTT now. I am using the IBM wmqtt.jar and the Mosquitto broker..
我现在已经为 MQTT 设置好了一切。我正在使用 IBM wmqtt.jar 和 Mosquitto 代理..
My Java Servlet creates an MQTTConnection to the broker and publishes under the topic "AndroidDeviceID/myAppName" ..
我的 Java Servlet 创建到代理的 MQTTConnection 并在主题“AndroidDeviceID/myAppName”下发布..
The Android client subscribes to that same topic...
Android 客户端订阅了相同的主题......
It seems to me that if anyone knew the device name of my user, they could create a simple android app and subscribe to that topic on my MQTT broker. Then they get all the notifications (in this case instant messaging messages) from my users..
在我看来,如果有人知道我用户的设备名称,他们可以创建一个简单的 android 应用程序并在我的 MQTT 代理上订阅该主题。然后他们从我的用户那里收到所有通知(在这种情况下是即时消息)。
How is this properly avoided?
如何正确避免这种情况?
采纳答案by ralight
Mosquitto provides security through username and password authentication as well as limiting access to topics with access control lists. There are details in the mosquitto.conf man page: http://mosquitto.org/man/mosquitto-conf-5.html
Mosquitto 通过用户名和密码身份验证以及使用访问控制列表限制对主题的访问来提供安全性。mosquitto.conf 手册页中有详细信息:http://mosquitto.org/man/mosquitto-conf-5.html
回答by achuth
ACL is what restricts clients subscribing to topics, i am using a auth-plugin to do so, here is the link mosquitto auth plugin
ACL 是限制客户订阅主题的原因,我正在使用 auth-plugin 来这样做,这里是链接mosquitto auth 插件
回答by Andy Piper
In general, MQTT keeps security very "light" as it was originally designed for use with closed sensor networks. It is down to the broker implementation to provide e.g. SSL and decide how to handle the username/password backend.
一般来说,MQTT 保持安全性非常“轻”,因为它最初是为与封闭传感器网络一起使用而设计的。由代理实现提供例如 SSL 并决定如何处理用户名/密码后端。
Encryption of message data is unlikely to ever be provided by the protocol itself and is something that is typically done at the application layer if this is critical.
消息数据的加密不太可能由协议本身提供,如果这很关键,通常在应用层完成。
回答by Christian G?tz
If you need a more custom way of handling access control and permission of topics, try using the HiveMQ MQTT broker. Like explained in the documentation you can implement your own behaviour with a plugin. This approach allows you to completely decide how the authentication and authorization of clients, publishes and subscribes is handled [1]. If you are interested the best way to start with your own plugin is described here [2].
如果您需要更自定义的方式来处理主题的访问控制和权限,请尝试使用 HiveMQ MQTT 代理。就像文档中解释的那样,您可以使用插件实现自己的行为。这种方法允许您完全决定如何处理客户端的身份验证和授权、发布和订阅 [1]。如果您有兴趣开始使用您自己的插件的最佳方式,请参见此处 [2]。
By the way, it is also very easy to configure TLS for HiveMQ [3].
顺便说一下,为 HiveMQ [3] 配置 TLS 也很容易。
Christian (HiveMQ Team)
Christian(HiveMQ 团队)
[1] http://www.hivemq.com/docs/plugins/1.5.0/#auth-permission-chapter
[1] http://www.hivemq.com/docs/plugins/1.5.0/#auth-permission-chapter
[2] http://www.hivemq.com/documentations/getting-started-plugins/
[2] http://www.hivemq.com/documentations/getting-started-plugins/
[3] http://www.hivemq.com/docs/hivemq/1.5.0/#hivemqdocs_ssl_tls
[3] http://www.hivemq.com/docs/hivemq/1.5.0/#hivemqdocs_ssl_tls
