Hello, I've got a "little" architecture issue, here is the basic schema :
| | | -JSP- | | | | | |___\ [EJB SB] | | | | | / ||_______|__auth then call (rmi+SSL)______|_\ [Secured EJB SB]| | | | | | / |_____|____[O][O][O] | | |________|__[O] client cert | | known certificates | | | in keystore | | in keystore | --------------------- --------------------- | JBOSS "Client" JBOSS "Server" | The goal is to authenticate (so restrict) the clients (other session Beans, left side) that are wiling to use operations on the secured Session Bean (right side). So only "known" clients (by certificates) will be successfully authenticated and so granted access. Technically speaking : The Statless Secured Session Bean (right): - uses RMI+SSL invokers binding - is linked to a JAAS securiy Domain (binded to the local keystore). -methods permissions are "unchecked" for a role "AuthenticatedApps" - an application policy binded to the Security Domain specifies password stacking, to use BaseCertLoginModule as login module and a custom Cert Verifier (which checks the certificates equality) The client 'unsecured' Session Bean (left): - Set a SecurityAssociationHandler - Retrieve the local security domain to access the local keystore to get its own certificate - Get a LoginContext using the securityDomain and the handler (containing the cert) - Login, get the subject - Create an initial context on the secured server JNDI - Lookup/narrow/create the secure SB So where's my issue ? For the moment, the LoginContext then the login() is performed on the client side and not on the secured server side. So the secured server never performed the login(). So how can I get a remote LoginContext to perform the required login() and get a relevant subject to access the Secured SB ? Something looks wrong in my design, isn't it ? Thanks for any help. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3920878#3920878 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3920878 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
