Security of publish/subscribe-based processes and workflows is to be examined on several levels:
On successful authentication, access permissions are checked to confirm if a particular endpoint can publish messages to a given topic or receive messages from it
Authorization is based on patterns - for each endpoint a list of patterns can be created, each pattern potentially
resolving in run-time to one or more topics, e.g.
/customer/\*/new may point to
Access is checked each time an endpoint tries to publish messages or receive them
For subscriptions, patterns are resolved when a message is published. That is, at the moment of its publication all subscribers whose subscription patterns match the name of the topic the message is published to are taken into account and only these subscribers will receive the message.
In accordance with the overall architecture of the platform, there are no default passwords or secrets - everything is always automatically generated and set to random values (UUID4)
/zato/demo/sample is a demo topic created for illustration purposes
zato.pubsub.demo.endpoint is created to make it easy to access the demo /zato/demo/sample topic. This endpoint
has access to that one topic only.
zato.pubsub.default.internal.endpoint is created - this is used internally by Zato. The endpoint has full access
to all topics.
Users with credentials to web-admin can manage all pub/sub objects, including ability to browse messages, delete them or to publish new ones
Users with SSH access to Zato servers are able to access all pub/sub objects for any purposes