6 Replies Latest reply on Mar 9, 2004 3:15 PM by martin0

    jaas auth and keystore

    martin0 Novice

      I want somewhere to store secret keys securely - presumably keystore is the place.

      I want the secret keys to be associated with individual users - I can identify the users through with Principal (previously authenticated).

      Is it possible to generate and retreve secret keys in the keystore under the identity of the logged in principal?

      I am hoping access to keystore can be confgured in a similar way to having access to datasources can be configured based on securitydomain.

      This idea is a bit fuzzy, but am I thinking along the right line?

      Scott? anyone?


        • 1. Re: jaas auth and keystore
          martin0 Novice

          To clarify this a bit more - is it possible to define the connection to a keystore with JCA?

          • 2. Re: jaas auth and keystore
            Scott Stark Master

            If you write the jca adaptor you can. We have no jca adaptor which performs this function.

            • 3. Re: jaas auth and keystore
              martin0 Novice

              The problem I see is that the keystore API doesn't deal with principals. Am I missing something? I can't believe this is a unique problem.

              Thanks again

              • 4. Re: jaas auth and keystore
                Scott Stark Master

                The keystore deals with string aliases. Using the Principal.getName() as the alias in the keystore solves this.

                • 5. Re: jaas auth and keystore
                  martin0 Novice

                  Sorry - when I said Principal, I was refering to it as an authenticated entity, thus negating the need for a password in Keystore.getKey() method.

                  However, I'm starting to think it's not such a good idea anyway, because all someone would have to do, to get a key from the store would be to do a simple authentication module - produce the Principal and steal the key from the store.

                  I wonder what the standard solution to this problem is - I want JAAS auth because I thought it was the "blessed" solution from Sun et al, but I'm still stuck with other passwords for PBE or secret key access.... frustrating.

                  All the technical stuff I've read, seems to avoid this issue. It's no good embedding passwords in java classes as they can be extracted with decompilation.

                  Is it secure to pass at least singular passwords into JBoss as a system property?


                  • 6. Re: jaas auth and keystore
                    martin0 Novice

                    I suppose a "signed" Principal would be good - signed by the login module, and the keystore has the public key of the login module, but then I'm back to the problem of securing the login module's private key., Plus the container would have to understand the "signed" Principal, so that idea doesn't fly :-(