Hi all, So far I've mainly been reading ActiveMQ and making design docs. Here's what I've got:
For authorization, my current plan is to just have the client's DN replace the user name field in the ConnectionInfo class (how this is done is explained below). I want to do this because I don't know much about JAAS and I'm trying to avoid writing classes to authorize based on DNs. If you guys know this stuff (and you probably do), we could change this easily enough. Here's the rest of my design: I want to modify SslTransportFactory to use a specific SslContext object and allow client's access to its init method so that they can set their own key and trust managers. I also want to create new SslTransport and SslTransportServer classes. SslTransport will be derived from TcpTransport. Its main task will be to replace the user name field of ConnectionInfo commands with its socket's DN (this could be changed easily to attach the entire certificate to ConnectionInfo as a new generic field). SslTransport will also make sure that it uses SslSocketFactory's. SslTransportServer will only be there to make sure SslSocketFactory's are used. For my current design that about does it. The proper Brokers and plugins (JaasAuthenticationBroker and AuthorizationPlugin) would have to be used and the configuration files would need to use the DN as the username. I'm not sure about this, but I think if we were to attach the complete certificate and try to do things "properly" we'd need a new CertificateAuthenticationBroker and a way for JAAS to authenticate that certificate (I'm new to JAAS so I don't know how easy/hard this would be). Any thoughts? - Sepand On 8/1/06, James Strachan <[EMAIL PROTECTED]> wrote:
On 8/1/06, ngcutura <[EMAIL PROTECTED]> wrote: > > My JIRA username is 'ngcutura' and I'll be glad to assign LDAP Authorization > issue to myself. Great! You're all set now with JIRA karma > I also take this opportunity to remind you of my code > waiting for your review. :-) Thanks for the reminder - will try get there soon :) > I wouldn't mind creating and assigning certificate login but as Sepand was > the first to raise it I'd wait for him (a while). Coolio -- James ------- http://radio.weblogs.com/0112098/
