activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino" <hi...@hiramchirino.com>
Subject Re: Creating a secure connection system and using JMSXUserID support
Date Wed, 02 Aug 2006 00:11:56 GMT
On 8/1/06, Sepand M <sepandm@gmail.com> wrote:
> Hi all,
>
> So far I've mainly been reading ActiveMQ and making design docs.
> Here's what I've got:
>
> For authorization, my current plan is to just have the client's DN
> replace the user name field in the ConnectionInfo class (how this is
> done is explained below). I want to do this because I don't know much
> about JAAS and I'm trying to avoid writing classes to authorize based
> on DNs. If you guys know this stuff (and you probably do), we could
> change this easily enough.
>
> Here's the rest of my design:
>
> I want to modify SslTransportFactory to use a specific SslContext
> object and allow client's access to its init method so that they can
> set their own key and trust managers. I also want to create new
> SslTransport and SslTransportServer classes. SslTransport will be
> derived from TcpTransport. Its main task will be to replace the user
> name field of ConnectionInfo commands with its socket's DN (this could
> be changed easily to attach the entire certificate to ConnectionInfo
> as a new generic field). SslTransport will also make sure that it uses
> SslSocketFactory's. SslTransportServer will only be there to make sure
> SslSocketFactory's are used.
>
> For my current design that about does it. The proper Brokers and
> plugins (JaasAuthenticationBroker and AuthorizationPlugin) would have
> to be used and the configuration files would need to use the DN as the
> username.
>
> I'm not sure about this, but I think if we were to attach the complete
> certificate and try to do things "properly" we'd need a new
> CertificateAuthenticationBroker and a way for JAAS to authenticate
> that certificate (I'm new to JAAS so I don't know how easy/hard this
> would be).
>

Sounds spot on!  The JAAS part would totally depend on how the JAAS
module that authenticates against a certificate expects to receive the
certificate.  Right now our current JAAS login only uses
userid/password, that would need to change for a cert.  Anybody know
where we can get a JAAS module that authenticates certificates?

Regards,
Hiram

> Any thoughts?
> - Sepand
>
> On 8/1/06, James Strachan <james.strachan@gmail.com> wrote:
> > On 8/1/06, ngcutura <ngcutura@gmail.com> wrote:
> > >
> > > My JIRA username is 'ngcutura' and I'll be glad to assign LDAP Authorization
> > > issue to myself.
> >
> > Great! You're all set now with JIRA karma
> >
> > > I also take this opportunity to remind you of my code
> > > waiting for your review. :-)
> >
> > Thanks for the reminder - will try get there soon :)
> >
> > > I wouldn't mind creating and assigning certificate login but as  Sepand was
> > > the first to raise it I'd wait for him (a while).
> >
> > Coolio
> >
> > --
> >
> > James
> > -------
> > http://radio.weblogs.com/0112098/
> >
>


-- 
Regards,
Hiram

Blog: http://hiramchirino.com

Mime
View raw message