x-posting to jboss-dev/scott in order to get the community/security specialists up-to-date.
-----Ursprüngliche Nachricht----- >Von: Jason Essington [mailto:[EMAIL PROTECTED] >Gesendet: Dienstag, 2. Dezember 2003 01:08 >An: Dr.Christoph Jung; Thomas Diesler >Betreff: Security in JBoss.net >Hi Christoph, Thomas >I have looked over the Web Services Security specs available from OASIS >(funny, dims just committed them to the specs directory of the wss4j >project today). Yeah, it is an important, but quite complicated topic with all these encryption/signing/key-sharing bits. I recently saw a presentation by BEA on WSS and was impressed by the sheer space of possibilities (like, encrypting only an important piece of a web-service call or signing a whole message). >It looks like security can be added to JBoss.net on a per-service basis >by simply adding the handlers (i'll have to write jboss specific ones) >to the requestFlow and responseFlow sections of the service definition >in the web-service.xml file. Great. Because we will map the new WS4EE descriptors onto basic Axis ones, we can simply extend the security capabilities to WS4EE, too (the WS4EE handler bit is what I am working on today: I want to have both "standard" preconfigured handler configurations as well as custom ones, similar to the jboss container configuration). >Then enabling security would be as simple as adding something like /* * @jboss-net.security * action="encrypt_sign" * more="parameters here" */ >Yup, I'll have to fiddle with the xDoclet module a little, but I'm no >stranger to that. Sounds very good. I´m also thinking about writing a few J2EE1.4 extensions for the xdoclet ejb and web modules. >The UsernameToken profile will easily map to the jaas style security >used by JBoss, you can have a look at the existing authentication and authorization handlers which are connected (via SimplePrincipal) to a JBoss JAAS Security manager. If you can take those to a new level, that would be great. >but X.509 Certificate Tokens Profile will present a bit >of a problem I think. >An X.509 cert is both an identifier (username) and a credential >(password). Any Ideas on how best to map an X.509 Certificate to a >JBoss principal? >Maybe map the DN to a username? And use the cert serial number as a >password, just to map to a user that has defined roles (since a >keystore has no concept of roles)? Would be a Principal/Credential combination? That is something that we may have to check with other servers, too. I think that BEA has a quite elaborate notion of keystore and I guess that we would need that for some of the Wss4j, too. CGJ ########################################### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.F-Secure.com/ ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ JBoss-Development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
