geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kresten Krab Thorup" <k...@trifork.com>
Subject Re: ActiveIO
Date Tue, 12 Jul 2005 18:27:24 GMT
> David Jencks wrote:
>
> On Jul 12, 2005, at 1:14 AM, Kresten Krab Thorup wrote:
>
>> For client sockets, things are slightly more complicated because we
>> need to support that the user is authenticated with an X509
>> certificate.  In this case, the credentials of the user (which would
>> typically be sitting inside the current Subject) needs to be passed
>> along to the socket creation so that the SSL logic can create an
>> X509KeyManager that can service this information to the server if he
>> needs it to establish the clients credentials.
>>
>
> Is this correct?  Or one possibility we should support?  My
> understanding is that normally in csiv2 the ssl layer client
> authentication authenticates the client system itself, whereas the
> user's identity is transferred in an SAS identity token.  If the client
> system is a standalone client rather than a server, the client system
> identity would presumably be the same as the user identity.  Have I
> missed something?
>

Here is the example I'm thinking of:

If an application does a JAAS-based certificate login, then the private
credentials thus stored in the current subject should be used to do the
client-side of an client authentication on a successive remote corba SSL
call.  Thus making the client system identity identical to the logged in
user.

Kresten

Mime
View raw message