geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: Secured connection
Date Sun, 24 Jun 2007 17:06:00 GMT

On Jun 24, 2007, at 12:13 PM, Tero Mäntyvaara wrote:

> David Jencks wrote:
>> Please send to only one list at a time, this is more appropriate for
>> the user list.
> I am really sorry, I will not do that again. :-/
>> On Jun 21, 2007, at 7:45 AM, Tero Mäntyvaara wrote:
>>> Does latest G support secured (read encrypted) connection between  
>>> server
>>> and client?
>> That depends on the protocol you want to use and possibly on the
>> version of geronimo you want to use.  I'll assume you are using
>> geronimo 2.0 (trunk)
> I was thinking the latest, so it will be then 2.0.
>> web/https -- yes
>> jaxrpc/jaxws/soap -- yes
>> ejb using corba -- yes
>> ejb using openejb proprietary protocol -- not turned on by default,
>> and I'm not sure if you can turn it on without extra programming.
> I was planning to use encrypted connection between remote EJB- 
> component
> and Java-application. So my alternatives are CORBA and openEJB. I  
> would
> like to use this J2EE compliant CORBA-connection. How has this
> en-/decryption been accomplished then?

It's not clear to me if your java-application is the client or server  
here, nor if it is running in a javaee container.  I'm going to  
assume that  it  is the client and is either a javaee client  
application running in geronimo app client container or another  
javaee application.  It's possible to use corba from a non-javaee  
application but you have to set up quite a bit of configuration in code.

I would start by looking at the examples in <geronimo server trunk>/ 
testsuite/corba-testsuite.  These are all set up to use no security,  
but you can see which objects you need to configure.  On the server  
side you need a TSSBeanGBean that specifies the required and allowed  
security properties to use the server ejb, and on the client side  
there's a corresponding CSSBeanGBean that specifies what the client  
is willing to supply.

There are a lot of choices.  There are 3 layers involved.
- transport layer.  You can specify unprotected, ssl, or ssl with  
client certificate.  IIRC the client certificate can be used identify  
the client.
- AS layer (Application Security??? I can't remember what it stands  
for)  At this layer you can specify that the client will identify  
itself using username/password.  (GSSUP)
- SAS layer.  (Security Attribute Service) If the client is working  
on behalf of a user other than the user who is running the client  
itself (for instance if it is a server), you can propagate the actual  
user identity using an identity token.  However the user will not be  
reauthenticated on the server: the server will trust that the client  
has already performed proper authentication.  Note that this is  
reasonable if e.g. you have authenticated the client via a trusted  
client certificate and are using ssl transport.

There are some schemas for the css and tss bean configurations, corba- 
css-config-2.1.xsd and corba-tss-config-2.1.xsd.  If you have trouble  
figuring out what to specify, tell us what options you want and we'll  
try to help come up with an appropriate configuration.

david jencks

>> thanks
>> david jencks
>>> Tero Mäntyvaara
> Tero Mäntyvaara

View raw message