activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guillaume Nodet" <gno...@gmail.com>
Subject Re: Creating a secure connection system and using JMSXUserID support
Date Thu, 03 Aug 2006 12:19:10 GMT
There is one in ServiceMix.
http://svn.apache.org/repos/asf/incubator/servicemix/trunk/servicemix-core/src/main/java/org/apache/servicemix/jbi/security/login/

On 8/2/06, Hiram Chirino <hiram@hiramchirino.com> wrote:
>
> On 8/1/06, Sepand M <sepandm@gmail.com> wrote:
> > Hi all,
> >
> > So far I've mainly been reading ActiveMQ and making design docs.
> > Here's what I've got:
> >
> > For authorization, my current plan is to just have the client's DN
> > replace the user name field in the ConnectionInfo class (how this is
> > done is explained below). I want to do this because I don't know much
> > about JAAS and I'm trying to avoid writing classes to authorize based
> > on DNs. If you guys know this stuff (and you probably do), we could
> > change this easily enough.
> >
> > Here's the rest of my design:
> >
> > I want to modify SslTransportFactory to use a specific SslContext
> > object and allow client's access to its init method so that they can
> > set their own key and trust managers. I also want to create new
> > SslTransport and SslTransportServer classes. SslTransport will be
> > derived from TcpTransport. Its main task will be to replace the user
> > name field of ConnectionInfo commands with its socket's DN (this could
> > be changed easily to attach the entire certificate to ConnectionInfo
> > as a new generic field). SslTransport will also make sure that it uses
> > SslSocketFactory's. SslTransportServer will only be there to make sure
> > SslSocketFactory's are used.
> >
> > For my current design that about does it. The proper Brokers and
> > plugins (JaasAuthenticationBroker and AuthorizationPlugin) would have
> > to be used and the configuration files would need to use the DN as the
> > username.
> >
> > I'm not sure about this, but I think if we were to attach the complete
> > certificate and try to do things "properly" we'd need a new
> > CertificateAuthenticationBroker and a way for JAAS to authenticate
> > that certificate (I'm new to JAAS so I don't know how easy/hard this
> > would be).
> >
>
> Sounds spot on!  The JAAS part would totally depend on how the JAAS
> module that authenticates against a certificate expects to receive the
> certificate.  Right now our current JAAS login only uses
> userid/password, that would need to change for a cert.  Anybody know
> where we can get a JAAS module that authenticates certificates?
>
> Regards,
> Hiram
>
> > Any thoughts?
> > - Sepand
> >
> > On 8/1/06, James Strachan <james.strachan@gmail.com> wrote:
> > > On 8/1/06, ngcutura <ngcutura@gmail.com> wrote:
> > > >
> > > > My JIRA username is 'ngcutura' and I'll be glad to assign LDAP
> Authorization
> > > > issue to myself.
> > >
> > > Great! You're all set now with JIRA karma
> > >
> > > > I also take this opportunity to remind you of my code
> > > > waiting for your review. :-)
> > >
> > > Thanks for the reminder - will try get there soon :)
> > >
> > > > I wouldn't mind creating and assigning certificate login but
> as  Sepand was
> > > > the first to raise it I'd wait for him (a while).
> > >
> > > Coolio
> > >
> > > --
> > >
> > > James
> > > -------
> > > http://radio.weblogs.com/0112098/
> > >
> >
>
>
> --
> Regards,
> Hiram
>
> Blog: http://hiramchirino.com
>



-- 
Cheers,
Guillaume Nodet

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message