1 Reply Latest reply on Jan 10, 2006 9:22 AM by nuno oliveira

    https through load balancer breaks declarative security

    nuno oliveira Newbie


      My desired setup is for a Jboss cluster serving requests behind a load balancer. Also I intend to use declarative security on the deployed units and have ssl client side authentication.

      I need someone to please confirm/deny the following statements:

      1) ssl has to be negotiated by the load balancer, whether hardware or software based (apache with mod_proxy/mod_jk).

      2) if using apache with mod_jk it is possible to configure it to send the client side authentication details (certificate) in such a way that jboss may enforce declarative authorization as if it had done the authentication itself. This also means that the programatic means to get the authenticated user identity described in the ejb and servlet specs will still work.

      3) there is no hardware load balancer that supports the behavior described in 2), which means that with a hardware load balancer it is impossible to use declarative authorizations

      After a whole lot testing and digging up for info myself, I'm quite desperate to solve this question, so if someone could help me I would be most thankfull.