1 Reply Latest reply on Apr 29, 2004 10:20 AM by starksm64

    RMI over HTTPS with client certificate authentication

    rolfarne

      What would be the best approach to support this scenario?

      Precondition: On the client side, the SecurityInterceptor is not part of the interceptor stack, because the principal and credentials of the SecurityAssociation are not relevant when doing client certificate authentication. This leaves the the principal and credentials of the Invocation object with null values.

      If we move on to the server side, we could configure a login-config with CLIENT-CERT in the deployment descriptor for invoker.war. Then after a successful client login, JBossSecurityMgrRealm will set the princial and credentials (a certificate chain) of the SecurityAssociation. Now, one possible approach is to check in the InvokerServlet if the MarshalledInvocation has a null principal and credential. If so, and if the SecurityAssociation contains a principal and a credential, we could take the values from the SecurityAssociation and set the values on the MarshalledInvocation. Would that be an idea that is worth following?