-
1. Re: jaas auth and keystore
martin0 Mar 6, 2004 9:51 AM (in response to martin0)To clarify this a bit more - is it possible to define the connection to a keystore with JCA?
-
2. Re: jaas auth and keystore
starksm64 Mar 7, 2004 10:25 AM (in response to martin0)If you write the jca adaptor you can. We have no jca adaptor which performs this function.
-
3. Re: jaas auth and keystore
martin0 Mar 8, 2004 6:28 AM (in response to martin0)The problem I see is that the keystore API doesn't deal with principals. Am I missing something? I can't believe this is a unique problem.
Thanks again
Martin -
4. Re: jaas auth and keystore
starksm64 Mar 9, 2004 8:02 AM (in response to martin0)The keystore deals with string aliases. Using the Principal.getName() as the alias in the keystore solves this.
-
5. Re: jaas auth and keystore
martin0 Mar 9, 2004 3:09 PM (in response to martin0)Sorry - when I said Principal, I was refering to it as an authenticated entity, thus negating the need for a password in Keystore.getKey() method.
However, I'm starting to think it's not such a good idea anyway, because all someone would have to do, to get a key from the store would be to do a simple authentication module - produce the Principal and steal the key from the store.
I wonder what the standard solution to this problem is - I want JAAS auth because I thought it was the "blessed" solution from Sun et al, but I'm still stuck with other passwords for PBE or secret key access.... frustrating.
All the technical stuff I've read, seems to avoid this issue. It's no good embedding passwords in java classes as they can be extracted with decompilation.
Is it secure to pass at least singular passwords into JBoss as a system property?
???
Martin -
6. Re: jaas auth and keystore
martin0 Mar 9, 2004 3:15 PM (in response to martin0)I suppose a "signed" Principal would be good - signed by the login module, and the keystore has the public key of the login module, but then I'm back to the problem of securing the login module's private key., Plus the container would have to understand the "signed" Principal, so that idea doesn't fly :-(