Implementing Pub/Sub With Java Redis Client

1
votes

I am writting a chat application for android. I want to use redis in my backend, so that with publish, i can send a message to all clients connected to the server and subscribe on the client side to listen in on the server.

I want to know if there's any thing wrong with this? Also, i found out a client can execute commands while it is subscribed to a channel, is there a way to go around this so that should a mobile client subscribe to receive messages, it can still use publish to send messages out.

Thanks

2
androidredis
Don't expose redis on a public network, hide it behind your middle tier and expose a web services layer to your mobile apps instead. - raffian
thanks, it's becoming clearer to me - SamAko

2 Answers

2
votes

I want to know if there's anything wrong with this?

As long as your backend would consist of some server side technology which will process requests from clients and redis will be abstracted from these clients then it's ok. It should be the server side and not redis itself who will face the clients.

2
votes

There are many security concerns exposing Redis directly to the internet. Many of them are described on the Redis site itself. They can be summarized in:

  1. Redis is designed to be accessed by trusted clients inside trusted environments
  2. Failing to protect the Redis port from the outside can have a big security impact because of the nature of Redis. For instance, a single FLUSHALL command can be used by an external attacker to delete the whole data set
  3. Redis does not try to implement Access Control, it provides a tiny layer of authentication that is optionally turned on
  4. Redis is very fast at serving queries. Many passwords per second can be tested by an external client
  5. Redis does not support encryption

All these sentences are direct citations of the Redis site which describes other kind of attacks, too.