geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <djen...@gluecode.com>
Subject Re: ActiveIO
Date Tue, 12 Jul 2005 18:41:24 GMT

On Jul 12, 2005, at 11:27 AM, Kresten Krab Thorup wrote:

>> David Jencks wrote:
>>
>> On Jul 12, 2005, at 1:14 AM, Kresten Krab Thorup wrote:
>>
>>> For client sockets, things are slightly more complicated because we
>>> need to support that the user is authenticated with an X509
>>> certificate.  In this case, the credentials of the user (which would
>>> typically be sitting inside the current Subject) needs to be passed
>>> along to the socket creation so that the SSL logic can create an
>>> X509KeyManager that can service this information to the server if he
>>> needs it to establish the clients credentials.
>>>
>>
>> Is this correct?  Or one possibility we should support?  My
>> understanding is that normally in csiv2 the ssl layer client
>> authentication authenticates the client system itself, whereas the
>> user's identity is transferred in an SAS identity token.  If the 
>> client
>> system is a standalone client rather than a server, the client system
>> identity would presumably be the same as the user identity.  Have I
>> missed something?
>>
>
> Here is the example I'm thinking of:
>
> If an application does a JAAS-based certificate login, then the private
> credentials thus stored in the current subject should be used to do the
> client-side of an client authentication on a successive remote corba 
> SSL
> call.  Thus making the client system identity identical to the logged 
> in
> user.

While I like the idea of allowing this as an option, my understanding 
is this is not csiv2 compliant: I think this is what the 
ITTX509CertChain is for.  Please correct me if I'm wrong.

david jencks

>
> Kresten
>


Mime
View raw message