Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to restrict SignalR server connections?

I have a SignalR app. hosted in a Windows service (used OWIN & Katana as self hosting) and it's listening on mydomain.com:8080

On the same server, I also have an MVC application which is basically a website that connects to my SignalR hub which I mentioned above.

I want to restrict access to my SignalR app only to my MVC application. I've searched the internet but didn't come along an example of this.

Is it possible to achieve this? How can I get the information about if the connection is coming from my MVC app or from another app? Do I need to implement an authorization for my own MVC application to be able to connect to my SignalR application?

Right now, everyone on the internet can access to mydomain.com:8080/signalr endpoint which basically means a competitor can code a client that connects to my SignalR hub and use it. What are the options to prevent this scenario?

p.s: Please ask for more information -if you need- instead of just marking the post as "non constructive" because I don't know how this question can be asked more "constructive"

like image 913
Tequilalime Avatar asked Apr 29 '14 23:04

Tequilalime


People also ask

How do I stop SignalR connection?

A SignalR connection can end in any of the following ways: If the client calls the Stop method, a stop message is sent to the server, and both client and server end the SignalR connection immediately.

How many concurrent connections can SignalR handle?

IIS on client operating systems has a limit of 10 concurrent connections. SignalR's connections are: Transient and frequently re-established. Not disposed immediately when no longer used.

How many clients can connect to SignalR?

In the default mode, the app server creates five server connections with Azure SignalR Service. The app server uses the Azure SignalR Service SDK by default. In the following performance test results, server connections are increased to 15 (or more for broadcasting and sending a message to a big group).

Is SignalR obsolete?

SignalR is deprecated. May I know the latest package for the same.


1 Answers

I believe I have a working example, it's quick and dirty, but it should do the job, and you should be able to expand it so it'll fit your needs better:

I created a class that inherits from Microsoft.AspNet.SignalR.AuthorizeAttribute and overrode the AuthorizeHubConnection method:

[AttributeUsage(AttributeTargets.Class, Inherited = false, AllowMultiple = false)]
public class CustomAuthorize : AuthorizeAttribute
{

    public override bool AuthorizeHubConnection(Microsoft.AspNet.SignalR.Hubs.HubDescriptor hubDescriptor, IRequest request)
    {
        string referer = request.Headers["Referer"];
        string authority = new Uri(referer).Authority;
        if (authority == "mydomain.com:8080")
        {
            return true;
        }
        return false;
    }
}

all it does is check the Referer header's host/authority against a hard coded one, and returns true if they match.

You can then use it like this:

[CustomAuthorize]
public class ChatHub : Hub
{
    //Hub code here...
}

If CustomAuthorize returns false, the request will stop there. The hub's OnConnected() will not be triggered.

like image 200
Tobias Avatar answered Sep 25 '22 15:09

Tobias