3 Replies Latest reply on Apr 13, 2006 8:17 PM by amdonov

    Client Cert EJB

    amdonov

      I'm moving from a webapp using client-cert authentication to a thick client. I need to continue using certificates for authentication. All work is performed in EJBs, and I was considering a couple of different approaches.

      1. Enable RMI+SSL for EJBs and subclass RMISSLClientSocketFactory and RMISSLServerSocketFactory to provide/require client certificates. Will the certificate be available to a JAAS CallbackHandler for authentication?

      2. Copy the SRP stuff where possible, but use certificates.

      Is either one of these feasible or should I pursue something else?
      Any advice is appreciated.

        • 1. Re: Client Cert EJB
          starksm64

          You need to use the PooledInvoker enhancements in 4.0.4RC1 to have access to the client cert for security decisions in the ejb container.

          SRP could be used to create a similar custom ssl type of arrangement as well. Since this is on top of the transport layer it can be integrated with any of the existing detached invokers.

          • 2. Re: Client Cert EJB
            amdonov

            I finally got approval from the client.

            I checked out the PooledInvoker, and I think I will try that approach. Other than providing custom socket factories, do I need to do anything special for a server side login module to access the client cert as a credential?
            What kind of configuration would be required on the client?
            Will the ClientLoginModule still be necessary?

            Thanks,
            Aaron

            • 3. Re: Client Cert EJB
              amdonov

              I found the answer in a similar thread

              http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3933179

              Thanks.