6 Replies Latest reply on Mar 9, 2004 3:15 PM by martin0

    jaas auth and keystore

    martin0
    martin0 Mar 5, 2004 4:23 PM

      I want somewhere to store secret keys securely - presumably keystore is the place.

      I want the secret keys to be associated with individual users - I can identify the users through with Principal (previously authenticated).

      Is it possible to generate and retreve secret keys in the keystore under the identity of the logged in principal?

      I am hoping access to keystore can be confgured in a similar way to having access to datasources can be configured based on securitydomain.

      This idea is a bit fuzzy, but am I thinking along the right line?

      Scott? anyone?

      Thanks
      Martin

      • 56366 Views
      • Tags:
        • 1. Re: jaas auth and keystore
          martin0
          martin0 Mar 6, 2004 9:51 AM (in response to martin0)

          To clarify this a bit more - is it possible to define the connection to a keystore with JCA?

            • Actions
          • 2. Re: jaas auth and keystore
            starksm64
            starksm64 Mar 7, 2004 10:25 AM (in response to martin0)

            If you write the jca adaptor you can. We have no jca adaptor which performs this function.

              • Actions
            • 3. Re: jaas auth and keystore
              martin0
              martin0 Mar 8, 2004 6:28 AM (in response to martin0)

              The problem I see is that the keystore API doesn't deal with principals. Am I missing something? I can't believe this is a unique problem.

              Thanks again
              Martin

                • Actions
              • 4. Re: jaas auth and keystore
                starksm64
                starksm64 Mar 9, 2004 8:02 AM (in response to martin0)

                The keystore deals with string aliases. Using the Principal.getName() as the alias in the keystore solves this.

                  • Actions
                • 5. Re: jaas auth and keystore
                  martin0
                  martin0 Mar 9, 2004 3:09 PM (in response to martin0)

                  Sorry - when I said Principal, I was refering to it as an authenticated entity, thus negating the need for a password in Keystore.getKey() method.

                  However, I'm starting to think it's not such a good idea anyway, because all someone would have to do, to get a key from the store would be to do a simple authentication module - produce the Principal and steal the key from the store.

                  I wonder what the standard solution to this problem is - I want JAAS auth because I thought it was the "blessed" solution from Sun et al, but I'm still stuck with other passwords for PBE or secret key access.... frustrating.

                  All the technical stuff I've read, seems to avoid this issue. It's no good embedding passwords in java classes as they can be extracted with decompilation.

                  Is it secure to pass at least singular passwords into JBoss as a system property?

                  ???
                  Martin

                    • Actions
                  • 6. Re: jaas auth and keystore
                    martin0
                    martin0 Mar 9, 2004 3:15 PM (in response to martin0)

                    I suppose a "signed" Principal would be good - signed by the login module, and the keystore has the public key of the login module, but then I'm back to the problem of securing the login module's private key., Plus the container would have to understand the "signed" Principal, so that idea doesn't fly :-(


                      • Actions