On 8/1/06, Sepand M <[EMAIL PROTECTED]> wrote:
Hi all,
So far I've mainly been reading ActiveMQ and making design docs.
Here's what I've got:
For authorization, my current plan is to just have the client's DN
replace the user name field in the ConnectionInfo class (how this is
done is explained below). I want to do this because I don't know much
about JAAS and I'm trying to avoid writing classes to authorize based
on DNs. If you guys know this stuff (and you probably do), we could
change this easily enough.
Here's the rest of my design:
I want to modify SslTransportFactory to use a specific SslContext
object and allow client's access to its init method so that they can
set their own key and trust managers. I also want to create new
SslTransport and SslTransportServer classes. SslTransport will be
derived from TcpTransport. Its main task will be to replace the user
name field of ConnectionInfo commands with its socket's DN (this could
be changed easily to attach the entire certificate to ConnectionInfo
as a new generic field). SslTransport will also make sure that it uses
SslSocketFactory's. SslTransportServer will only be there to make sure
SslSocketFactory's are used.
For my current design that about does it. The proper Brokers and
plugins (JaasAuthenticationBroker and AuthorizationPlugin) would have
to be used and the configuration files would need to use the DN as the
username.
I'm not sure about this, but I think if we were to attach the complete
certificate and try to do things "properly" we'd need a new
CertificateAuthenticationBroker and a way for JAAS to authenticate
that certificate (I'm new to JAAS so I don't know how easy/hard this
would be).
Sounds spot on! The JAAS part would totally depend on how the JAAS
module that authenticates against a certificate expects to receive the
certificate. Right now our current JAAS login only uses
userid/password, that would need to change for a cert. Anybody know
where we can get a JAAS module that authenticates certificates?
Regards,
Hiram
Any thoughts?
- Sepand
On 8/1/06, James Strachan <[EMAIL PROTECTED]> wrote:
> On 8/1/06, ngcutura <[EMAIL PROTECTED]> wrote:
> >
> > My JIRA username is 'ngcutura' and I'll be glad to assign LDAP Authorization
> > issue to myself.
>
> Great! You're all set now with JIRA karma
>
> > I also take this opportunity to remind you of my code
> > waiting for your review. :-)
>
> Thanks for the reminder - will try get there soon :)
>
> > I wouldn't mind creating and assigning certificate login but as Sepand was
> > the first to raise it I'd wait for him (a while).
>
> Coolio
>
> --
>
> James
> -------
> http://radio.weblogs.com/0112098/
>
--
Regards,
Hiram
Blog: http://hiramchirino.com
