4 Replies Latest reply on Feb 10, 2005 4:12 AM by Thomas Cherel

    Is SSL encryption available for JAAS?

    Tibor Pasztorka Newbie

      Hi Everybody,

      I use JAAS on both the client and the server side.

      In the client configuration there is a ClientLoginModule.
      The server side use a Krb5LoginModule that authenticate against Active Directory.

      The Kerberos login module on the server use a keytab for authentication and the client side doesn't send password.
      The ClientLoginModule simple bind the currently logged Windows user name as the principal.

      My question is how to encrypt the user name?
      My only chance is the SRP or is it possible to use SSL somehow?

      I use the 3.2.3 version.

      Thanks in advance.

      Tibor

        • 1. Re: Is SSL encryption available for JAAS?
          Scott Stark Master

          Encryption needs to be enabled at the ejb (or whatever service) invocation transport level. This is not a JAAS configuration issue.

          • 2. Re: Is SSL encryption available for JAAS?
            Thomas Cherel Novice

            Can you provide a little more detail on your JAAS configuration on both the client and server side?
            I am just curious on how it is really working (in a secure way) if only the user name is sent from the client.

            Thanks.

            Thomas

            • 3. Re: Is SSL encryption available for JAAS?
              Tibor Pasztorka Newbie

              Thank you fo your reply.

              My client configaration:

              other {
               org.jboss.security.ClientLoginModule required;
              };


              The CallbackHandler I use sets only the username. As a password sends an empty char array.

              Server configaration:

              <application-policy name="example1">
               <authentication>
              
               <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
               <module-option name="keyTab">C:/jboss-3.2.3/server/jaas_howto/conf/keytab.dat</module-option>
               <module-option name="useKeyTab">true</module-option>
               <module-option name="debug">true</module-option>
               </login-module>
              
               <login-module code="org.jboss.docs.jaas.howto.CustomLoginModule" flag="required"/>
               <!-- Setting up roles -->
              
               </authentication>
               </application-policy>


              The keytab was exported from the Active Directory. The keytab contains the users password in an encrypted way. The Jboss is started with
              java.security.krb5.kdc
              java.security.krb5.realm

              parameters to know where to find the Active Directory.

              That's what I did.

              The problem I'm facing now how to send some prove from the client side to the server login modules that the user who assigned in the ClientLoginModule really logged in the windows before.

              I tried JNI to determine the logged user name and domain in windows.

              Another problem is how to provide transport layer security for JAAS communication.

              Tibor


              • 4. Re: Is SSL encryption available for JAAS?
                Thomas Cherel Novice

                I understand now. Thanks for the details.
                I never tried to implement it, but, I think that the only way to do a fairly secure SSO mechanism between your client and server on windows is to use something like windows SSPI (see http://www.winterdom.com/dev/security/sspi.html) to implement a JAAS login module.
                The JAAS login module will probably have to work like the SRPLoginModule as the SSPI mandates a few roundtrips between the client and server during the authentication process.

                Thomas