3 Replies Latest reply on May 24, 2004 11:26 AM by starksm64

    Security context propagation between servers?

    mylesj

      This is more in the realm of J2EE security than JBoss, but I would appreciate any guidance on it. How can a security context be propagated between two JBoss servers, or for that matter, any J2EE application server?

      I presume the answer lies in JAAS and custom login modules. Are there any off the shelf solutions? Does JBoss support it directly?

      I want to set up a trust relationship between two servers such that a succesful login in one server is trusted in the other by defualt. Note that these servers are not part of a cluster or share the same JVM. They are entirely indepenent.

      Please help!

      Thanks,

      Myle

        • 1. Re: Security context propagation between servers?
          starksm64

          The JAAS Howto describes how the security context is propagated between two jboss servers. Its upto the authentication layer, typically JAAS login modules to deal with trust.

          In J2EE, the security context is only coupled to RMI/IIOP transport and so there is not a general security context notion that applies for all J2EE server interactions currently.

          • 2. Re: Security context propagation between servers?
            mylesj

            Thanks Scott,

            Are you aware of any third party or open source implementations of JAAS that facilitate trust relationships between two distributed J2EE applications?

            I would much rather opt for a proven solution were one available than develop one from the ground up; the danger of opening up a major security flaw by a developing a naive JAAS implementaton troubles me.

            Should there not be an implementation of JAAS with trust available, are you aware of an appropriate trust protocol that would map well to JAAS and J2EE to give me a head start?

            Thanks,

            Myles

            • 3. Re: Security context propagation between servers?
              starksm64

              This is outside of the scope of JAAS. It has to be done at a higher level like xacml, which has an opensource impl: http://sourceforge.net/projects/sunxacml. JAAS is just the integration point for the authentication callout.