6 Replies Latest reply on Jan 13, 2010 12:04 PM by sguilhen

client authentication on a JRMP SSL connection; multiple key

ovidiu.feodorov Dec 8, 2009 3:02 PM

JBoss Security team,

I would like to start a discussion concerning several possible improvements in jbosssx; they came up while working with JBoss in an environment that has complex security requirements. While all functionality I am suggesting was implemented with custom code, outside jbosssx, I believe it makes sense to generalize it, so other people can take advantage of it.

The changes are related to supporting keystores containing multiple client and server key aliases at JBoss security domain configuration level, and also a way to declaratively enable client authentication at JBoss security domain configuration level, similarly to how client authentication is enabled for a Tomcat connector - I needed this in order to enable client authentication on a secure JRMP connection.

Please let me know if this is a good place to start the discussion.

For simplicity, I could split the thread in several sub-threads, one per each suggested functionality. In the end, if it is decided that the improvements are worth the trouble, I will create the JIRA issues and provide patches and tests. However, I would like to start the discussion here, first, because it is possible that the suggested functionality already exists, and I just simply missed it.

The discussion applies to 4.x series, but I will be more than happy to adapt the patches for 5.x and 6.x, if deemed appropriate.

Thanks,
Ovidiu

1. Re: client authentication on a JRMP SSL connection; multiple

anil.saldhana Dec 9, 2009 3:34 AM (in response to ovidiu.feodorov)

Ovidiu, you are welcome to use this forum to discuss the features and patches. We will certainly include good features and bug fixes in future releases.
Actions
2. Re: client authentication on a JRMP SSL connection; multiple

sguilhen Dec 9, 2009 12:46 PM (in response to ovidiu.feodorov)

Features that come up when working on the field are usually good stuff to include as they reflect the needs from the end users. I think your idea of splitting the discussion in several sub threads is really good because it will make the discussions more focused.
Actions
3. Re: client authentication on a JRMP SSL connection; multiple

ovidiu.feodorov Dec 29, 2009 10:29 PM (in response to anil.saldhana)

Please find below:

1. Client/Server Key Aliases at JBoss Security Domain Level
2. Option for Client Authentication at JBoss Security Domain Level
3. Configurable keyStoreProvider, trustStoreProvider, etc. at JaasSecurityDomain level
4. Support for External Credentials in LdapExtLoginModule

As mentioned on each individual issue, I have patches that have been tested and are ready to be applied, as soon as the Security team agrees that all (or some) of the above are good ideas. Please let me know, I am standing by.
Actions
4. Re: client authentication on a JRMP SSL connection; multiple

sguilhen Jan 6, 2010 1:23 PM (in response to ovidiu.feodorov)

I've posted a reply to each one of the threads. With the exception of the second thread (client auth option in JaasSecurityDomain) I think all the features are pretty useful and we should include them.
Actions
5. Re: client authentication on a JRMP SSL connection; multiple

ovidiu.feodorov Jan 12, 2010 10:59 PM (in response to sguilhen)

Great, thank you.

I'll create JIRA issues for 1. 3. and 4. You mentioned that I can commit directly. Where? (alternatively, I can attach patches, but committing directly it's a lot better).

As for 2, I'll continue the discussion on the thread.
Actions
6. Re: client authentication on a JRMP SSL connection; multiple

sguilhen Jan 13, 2010 12:04 PM (in response to ovidiu.feodorov)

Ovidiu, most of the code you'll be touching (org.jboss.security.ssl.*, JaasSecurityDomain) is located in the application server security module (trunk/security). However, the SecurityDomain interface is defined in the security-spi project, so the first thing we have to do is to apply all the needed changes to this interface and then cut a release of the security project. After that we can update the AS and perform the remaining changes.

Security-SPI svn:
http://svn.jboss.org/repos/jbossas/projects/security/security-spi/trunk

Let me know when you're done so I can cut the release for you.
Actions

Go to original post