https through load balancer breaks declarative security

new4jboss Dec 24, 2005 4:56 AM

Hello,

My desired setup is for a Jboss cluster serving requests behind a load balancer. Also I intend to use declarative security on the deployed units and have ssl client side authentication.

I need someone to please confirm/deny the following statements:

1) ssl has to be negotiated by the load balancer, whether hardware or software based (apache with mod_proxy/mod_jk).

2) if using apache with mod_jk it is possible to configure it to send the client side authentication details (certificate) in such a way that jboss may enforce declarative authorization as if it had done the authentication itself. This also means that the programatic means to get the authenticated user identity described in the ejb and servlet specs will still work.

3) there is no hardware load balancer that supports the behavior described in 2), which means that with a hardware load balancer it is impossible to use declarative authorizations

After a whole lot testing and digging up for info myself, I'm quite desperate to solve this question, so if someone could help me I would be most thankfull.

Nuno

1. Re: https through load balancer breaks declarative security

new4jboss Jan 10, 2006 9:22 AM (in response to new4jboss)

1) Nope. Most major hardware load balancer may act in an SSL offloader role wher they route traffic with server affinity based on layer3-4 info.

2) Still don't know this, posted a question in the tomcat forum but no answer either....

3) Haven't found any that doesn't use proprietary mechanisms (like using special HTTP headers, etc), but JBoss also has a saying in this. Check
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=74870
Actions