4 Replies Latest reply on Feb 10, 2005 4:12 AM by tcherel

    Is SSL encryption available for JAAS?

    paszti
    paszti Feb 9, 2005 10:42 AM

      Hi Everybody,

      I use JAAS on both the client and the server side.

      In the client configuration there is a ClientLoginModule.
      The server side use a Krb5LoginModule that authenticate against Active Directory.

      The Kerberos login module on the server use a keytab for authentication and the client side doesn't send password.
      The ClientLoginModule simple bind the currently logged Windows user name as the principal.

      My question is how to encrypt the user name?
      My only chance is the SRP or is it possible to use SSL somehow?

      I use the 3.2.3 version.

      Thanks in advance.

      Tibor

      • 2986 Views
      • Tags:
        • 1. Re: Is SSL encryption available for JAAS?
          starksm64
          starksm64 Feb 9, 2005 12:20 PM (in response to paszti)

          Encryption needs to be enabled at the ejb (or whatever service) invocation transport level. This is not a JAAS configuration issue.

            • Actions
          • 2. Re: Is SSL encryption available for JAAS?
            tcherel
            tcherel Feb 9, 2005 3:14 PM (in response to paszti)

            Can you provide a little more detail on your JAAS configuration on both the client and server side?
            I am just curious on how it is really working (in a secure way) if only the user name is sent from the client.

            Thanks.

            Thomas

              • Actions
            • 3. Re: Is SSL encryption available for JAAS?
              paszti
              paszti Feb 10, 2005 3:40 AM (in response to paszti)

              Thank you fo your reply.

              My client configaration:

              other {
 org.jboss.security.ClientLoginModule required;
};


              The CallbackHandler I use sets only the username. As a password sends an empty char array.

              Server configaration: 

              <application-policy name="example1">
 <authentication>

 <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
 <module-option name="keyTab">C:/jboss-3.2.3/server/jaas_howto/conf/keytab.dat</module-option>
 <module-option name="useKeyTab">true</module-option>
 <module-option name="debug">true</module-option>
 </login-module>

 <login-module code="org.jboss.docs.jaas.howto.CustomLoginModule" flag="required"/>
 <!-- Setting up roles -->

 </authentication>
 </application-policy>


              The keytab was exported from the Active Directory. The keytab contains the users password in an encrypted way. The Jboss is started with 
              java.security.krb5.kdc
java.security.krb5.realm

              parameters to know where to find the Active Directory.

              That's what I did.

              The problem I'm facing now how to send some prove from the client side to the server login modules that the user who assigned in the ClientLoginModule really logged in the windows before.

              I tried JNI to determine the logged user name and domain in windows.

              Another problem is how to provide transport layer security for JAAS communication.

              Tibor


                • Actions
              • 4. Re: Is SSL encryption available for JAAS?
                tcherel
                tcherel Feb 10, 2005 4:12 AM (in response to paszti)

                I understand now. Thanks for the details.
                I never tried to implement it, but, I think that the only way to do a fairly secure SSO mechanism between your client and server on windows is to use something like windows SSPI (see http://www.winterdom.com/dev/security/sspi.html) to implement a JAAS login module.
                The JAAS login module will probably have to work like the SRPLoginModule as the SSPI mandates a few roundtrips between the client and server during the authentication process.

                Thomas

                  • Actions