0 Replies Latest reply on Dec 26, 2005 6:02 AM by nuno oliveira

    ssl client auth through load balancer breaks declarative sec

    nuno oliveira Newbie

      Hello, I posted this question 2 days ago in the clustering forum but after having received no answer I decided that this forum may be a better place to post it. Please forgive me if that isn't the case but I'm desperate for an answer:(

      My desired setup is for a Jboss cluster serving requests behind a load balancer. Also I intend to use declarative security on the deployed units and have ssl client side authentication.

      I need someone to please confirm/deny the following statements:

      1) ssl has to be negotiated by the load balancer, whether hardware or software based (apache with mod_proxy/mod_jk).

      2) if using apache with mod_jk it is possible to configure it to send the client side authentication details (certificate) in such a way that jboss may enforce declarative authorization as if it had done the authentication itself. This also means that the programatic means to get the authenticated user identity described in the ejb and servlet specs will still work.

      3) there is no hardware load balancer that supports the behavior described in 2), which means that with a hardware load balancer it is impossible to use declarative authorization enforcement.

      After a whole lot testing and digging up for info, I'm quite desperate to solve this question, so if someone could help me I would be most thankfull.

      Nuno