We don't have a jboss speicific login module for kerberos but they exist so that would be the path to using kerberos with jboss.
SRP is preferred simply because it does not have the pki management headache. Any kerberos integration would be similar to how SRP is done so its worth looking at from that perspective. If your pki phobic its a good alternative.
I have tried out SRP example "ex3" in chapter 8 of the Admin & Development guide v3.2.3. This example shows how to performs authentication using SRP but the RMI data is still transferred without encryption.
In order to add the encryption part I believe that I would have to create Custom RMIServerFactorys to that use an SRP session key to encrypt/decrypt the RMI data between the client and server.
If this is correct, how do I get the SRP session key on both ends (client/server)?
RMIServerFactorys above should be RMISocketFactory. Sorry for the typo.
The session key is available as a javax.crypto.SecretKey in the Subject private credentials set populated by the SRPLoginModule. There is an example of a custom pair of client/server interceptors in the org.jboss.test.security.interceptors package of the testuite that illustrate using the srp session key to encrypt just the arguments of ejb invocations using SealedObjects.
Thanks for your help I can't tell you much it has helped so far. Unfortunately, I have run into another problem.
I would like to create custom RMI server and client socket factories that encrypt and decrypt the entire RMI message using the SRP SecretKey created during login.
On the client I am able to get the SecretKey from the Subject and create encryption/decryption Ciphers based on the SecretKey. The problem is on the server. How do I get the Subject for the client that is connecting to the server? I tried to do this after the socket accept but it returned null:
Subject subject = SecurityAssociation.getSubject();
How does the RMIServerSocket retrieve the apprioprate Subject so the server side socket can access a SecretKey that matches the clients so it can setup ciphers for input and output communication?
I am using v3.2.3, with the service code from chap8 ex to perform the login.
Thanks for all your help.
It would have to be done through some out of band mechanism. The RMIServerSocket is used when a connection is created and there will be no user information associated with the thread. The only way this could be done is to read the Subject or key to obtain the Subject from the socket as sent by the client.