-
1. Re: Is SSL encryption available for JAAS?
starksm64 Feb 9, 2005 12:20 PM (in response to paszti)Encryption needs to be enabled at the ejb (or whatever service) invocation transport level. This is not a JAAS configuration issue.
-
2. Re: Is SSL encryption available for JAAS?
tcherel Feb 9, 2005 3:14 PM (in response to paszti)Can you provide a little more detail on your JAAS configuration on both the client and server side?
I am just curious on how it is really working (in a secure way) if only the user name is sent from the client.
Thanks.
Thomas -
3. Re: Is SSL encryption available for JAAS?
paszti Feb 10, 2005 3:40 AM (in response to paszti)Thank you fo your reply.
My client configaration:other { org.jboss.security.ClientLoginModule required; };
The CallbackHandler I use sets only the username. As a password sends an empty char array.
Server configaration:<application-policy name="example1"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="keyTab">C:/jboss-3.2.3/server/jaas_howto/conf/keytab.dat</module-option> <module-option name="useKeyTab">true</module-option> <module-option name="debug">true</module-option> </login-module> <login-module code="org.jboss.docs.jaas.howto.CustomLoginModule" flag="required"/> <!-- Setting up roles --> </authentication> </application-policy>
The keytab was exported from the Active Directory. The keytab contains the users password in an encrypted way. The Jboss is started withjava.security.krb5.kdc java.security.krb5.realm
parameters to know where to find the Active Directory.
That's what I did.
The problem I'm facing now how to send some prove from the client side to the server login modules that the user who assigned in the ClientLoginModule really logged in the windows before.
I tried JNI to determine the logged user name and domain in windows.
Another problem is how to provide transport layer security for JAAS communication.
Tibor -
4. Re: Is SSL encryption available for JAAS?
tcherel Feb 10, 2005 4:12 AM (in response to paszti)I understand now. Thanks for the details.
I never tried to implement it, but, I think that the only way to do a fairly secure SSO mechanism between your client and server on windows is to use something like windows SSPI (see http://www.winterdom.com/dev/security/sspi.html) to implement a JAAS login module.
The JAAS login module will probably have to work like the SRPLoginModule as the SSPI mandates a few roundtrips between the client and server during the authentication process.
Thomas