1 Reply Latest reply on Oct 15, 2001 5:33 AM by Konstantin

    jboss and digital signature

    Roman Kunert Newbie

      Hello,

      I wonder if it was possible to combine the security that comes with the use of a smart card with the security infrastructure of jboss. Say I wanted to grant access to beans or interfaces only to those users who do provide a signed certificate that comes from their cards. Are there any design guidelines or implementations out there,

      Thanks for your your help.

        • 1. You could do following way (+)
          Konstantin Newbie

          Your user name is principal. His credential is his smartcard with signature ( am I right? )

          Security checking in Jboss has 2 phases:
          authentication ( caller is person who it pretends
          to be, and provided valiud credentials ( smart card ) for his principal )

          So your login module on server side has to verify
          correctness of his signature.

          Second phase is authorization - it's checked whether
          given user has certain roles required to perform
          action.

          Most common way on the client side is to just store away principal ( username ) and credential[s] ( signature from the smart card ) provided by user and
          pass them to backendon every bean invocation
          ( this is implemented in ClientLoginModule )

          Conclusion:
          you will need means on the client side to obtain username and signature from the smartcard,
          and login module on the server side which performs
          checking of those and also role-mapping.