问题
I'm developing a messaging app using MQTT, after moving off GCM due to multiple failures.
I have a server broker online, and a client connecting and subscribing to it, and receiving messages of subscribed topics.
Now I'm thinking about to what to subscribe to and what message to send. I have a server for the GCM implementation (user id, google key); I think I don't need that anymore? I thought about subscribing to the broker with the user ID and if user B wants to send a message to user A, then B publish a message to the A user's ID topic... but with that kind of implementation, anyone could "sniff" conversations subscribing to random IDs.
So, I have a working MQTT server and client, and I don't know how to correctly use them for a messaging app...
I could think about it, but I suspect this would be a well known problem with an already known solution...
thank you very much!
回答1:
I think that the key for solution is the choice of proper addressing scheme and configuration of ACL. I will try to summarize requirements first:
- User A (receiver) should be able to see all messages directed to it from anybody
- User B (sender) should be able to send messages to anybody
Let's assume that you use following topic structure: /messages/{targetUserId}. Let's also assume for a sake of being focused that you can identify user on the broker side based on either credentials or certificate. Please let me know if this is not the case.
You could create ACL rules in mosquitto to allow user with targetUserId to read from the /messages/{targetUserId} topic. See mosquitto.conf documentation for the details of the rule's definition format. The first requirement will be fulfilled.
You would need another ACL rule to allow everybody to write to the topic with /messages/# address. This would fulfill second requirement.
As a result users would be able to send messages to anybody but won't be allowed to subscribe to someone else's messages.
However, static creation of all possible rules for all users might not be practical unless you have set of predefined ones. Instead, implement your own authentication plugin and configure it in mosquitto.conf via auth_plugin setting. Or use flexible mosquitto-auth-plug. This blog post provides basic details on how to configure and use it.
来源:https://stackoverflow.com/questions/31525762/advice-on-mqtt-messaging-implementation