Authentication & Authorization With Lightstreamer

This short article will guide you through authentication and authorization in Lightstreamer and will introduce a live example with full source code.

Authentication

Most, if not all, Lightstreamer applications will, at some point, require some sort of authentication mechanism to validate their users. Moreover, there usually is an authentication mechanism already in place when Lightstreamer is introduced in the system.

So, let's see how to introduce Lightstreamer in an environment where Authentication is already handled by a Web/Application server.

Protecting Lightstreamer Against POODLE (SSLv3)

Google's researchers recently discovered a new vulnerability affecting the SSL protocol. POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption, allows an attacker (a man-in-the-middle) to decrypt ciphertext using a padding oracle side-channel attack. Full details are available in this Google paper.

POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect Transport Layer Security (TLS), the newer encryption mechanism.

Lightstreamer relies on the underlying Java Virtual Machine (JVM) for the implementation of the SSL and TLS encryption and cipher suites. While waiting for the availability of a JVM upgrade that avoids SSL 3.0 by default, we recommend configuring Lightstreamer Server to prevent the use of SSL 3.0 for all HTTPS and WSS connections.