6 Replies Latest reply on Oct 29, 2007 9:41 AM by Brendan Sibre

    Using JAAS Authentication with SSL

    Brendan Sibre Newbie

      (Second time posting.. the first one seems to have been lost)

      I'm using JBAS 4.2.1 and JBM 1.4.0.GA.

      I've configure the sslbisocket transport. My clients all have SSL certificates and I would like to use their certificate to authenticate them via my custom loginmodule (which has been tested and works with EJBs, Tomcat, etc).

      I want JBM to use the principal created by the SSL connection for the getConnection() so that I do not need to pass a username and password.

      Looking at how the other invokers are configured, it appears that I'll need a SecurityInterceptor for the sslbisocket invoker to create a Subject from the SSL connection and then configure JBM to use a CallerIdentityLoginModule to use the already-established subject.

      However, I'm not sure how to put the interceptor around the
      jboss.remoting:service=invoker,transport=sslbisocket... as I'm not sure where that is configured.

      Other services seem to be configured in standardjboss.xml and jboss.xml so I'm wondering where I could do this - or if I need to modify some code to be pointed in the right direction.

      Also, I'd like Message Driven Beans to be able to be configured without a username and password. To accomplish this I think I'll need to configure the JmsXA resource adapter with ConfiguredIdentityLoginModule. Some confirmation of this would be appreciated.