Search code examples
websocketknox-gateway

How to configure a websocket service in Apache Knox with basic authentication

I managed to configure a websocket service in Knox which for test purposes is ws://echo.websocket.org

Here are my configuration files:

service.xml

<service role="ECHOWS" name="echows" version="0.0.1">
  <policies>
        <policy role="webappsec"/>
        <policy role="authentication" name="Anonymous"/>
        <policy role="rewrite"/>
        <policy role="authorization"/>
  </policies>
  <routes>
    <route path="/echows">
        <rewrite apply="ECHOWS/echows/inbound" to="request.url"/>
    </route>
  </routes>
</service>

rewrite.xml

<rules>
  <rule dir="IN" name="ECHOWS/echows/inbound" pattern="*://*:*/**/echows">
    <rewrite template="{$serviceUrl[ECHOWS]}"/>
  </rule>
</rules>

{topology}.xml section:

<service>
    <role>ECHOWS</role>
    <url>ws://echo.websocket.org</url>
</service>

I can connect to it:

wscat -c wss://my-knox-server/gateway/default/echows
connected (press CTRL+C to quit)
> Hello Knox!
< Hello Knox!

But I'd like Knox accept connection only when proper credentials are given:

wscat --auth <username:password> -c wss://my-knox-server/gateway/default/echows

My Knox configuration for http services works in this way that I have to put credentials, otherwise I get 401:

curl -i https://my-knox-server/gateway/default/my_service/ping
HTTP/1.1 401 Unauthorized

curl -i -u '<user>:<password>' https://my-knox-server/gateway/default/my_service/ping
HTTP/1.1 200 OK

I'd like to achieve the same result with websockets.

[EDIT]

Moreover I don't fully understand the above service.xml configuration for my websocket service, since it is different than the simplest possible configuration for a http service I was able to use:

<service role="MY_APP" name="my_app" version="0.0.1">
    <routes>
        <route path="/my_app/**"/>
    </routes>
</service>
  1. Why in case of a websocket service I need policies, and what do they mean?
  2. Why <routes>/<route> has an element <rewrite> and what is its semantics? Does it correspond to <rule>/<rewrite> from rewrite.xml? What does request.url mean there?
Solution

  • Good question, unfortunately the Authentication and Authorization mechanism in Knox is based on Http servlet filters which won't be applicable for Websocket.

    One thing you can do is have a HTTP side that does the authentication and then opens up the websocket connection.

    If you want you can open up a JIRA for this enhancement.

    [EDIT]

    Answers to followup questions

    1. In case of Websockets have no meaning, they are artifacts from http
    2. Again the in rewrites can be explained better with http context than with websocket. What they do is, tell Knox when to apply the rewrite rule i.e. request.url, request.body, response.url, response.body etc. Since, rules are based on HTTP servlet filters they are not used to rewrite websocket data. I believe there should be some JIRA lying around for that.