4 Replies Latest reply on Jan 14, 2005 2:37 PM by Tom Elrod

    security - authentication, authorization, encryption

    mazz Master

      I would like to start a thread on securing both the remoting tranport protocol and authorizing access to remote handlers.

      My initial requirements follow along lines analogous to HTTP/S with BASIC authentication.

      What I mean is, the actual traffic should be encrypted so as to prevent spoofing and hijacking of message requests and responses (having an HTTPS connector would do it - i.e. https://myhost:5555)

      Secondly, I need to be able to authenticate the remote client. For a start, we can just do something as simple as sending over credentials like a username (obviously, not in plain text - sending it over an encrypted channel would be needed). The server-side connector would then authenticate those credentials and see if the client is authorized to send requests to the handler that is to be invoked. Upon a denial, a security exception should be sent back to the client.

      As an aside, those client credentials should be made available to the handler (even though at this point, it would have meant the authorization passed). My handler may want to perform additional, more fine-grained, security checks.