Thanks for the detailed reply, I appreciate. I think we are on the same page on most points (which is good for me, I am just a beginner in the security arena).
Two extra comments. 1) From my reading of the Kerberos protocol (which might not be true for SRP, I do not know), the session key is securely exchanged between the client and the server and is used, after the authentication process, to encrypt/decrypt messages (similar to what an SSL handshake is doing). So, if we agree that, after the authentication process, client and server share a private key that could not be compromised (the session key), the "statefulness" of the RMI connection can be established by sending the client principal name and a digital signature of the message (encrypted hash code of the message using the session key). This should guarantee that the message is coming from the right person, shouldn't it? Agree, this is probably not going to be free to compute the message digital signature, but still cheaper than full SSL. 2) For the single sign-on aspect, I agree that this is dependent of the underlying OS (or almost). At least, I agree that GSS-API is not providing single sign-on capabilities by itself. But Kerberos does (which is what windows is using in W2K domain), I think. So, a combination of Kerberos JAAS login module (available in JDK1.4) and GSS-API (to be authentication protocol independent) should allow me to implement a single sign-on mechanism on any Kerberos based system (windows and Unix). For windows, I think we can even go one step further. The microsoft SSPI looks a lot like the GSS-API. One could create his own GSS-API implementation on top of the windows SSPI. It does not bring anything new for W2K domains which are Kerberos based anyway (and the JDK GSS-API provides an implementation for Kerberos), but it will work on Windows NT domain (NTLM instead of Kerberos) since the SSPI supports it. Thomas View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3856418#3856418 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3856418 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
