Hi, I started another thread, unaware of this one, with the same aim.
http://www.nabble.com/forum/ViewPost.jtp?post=5583011&framed=y So please allow me to share my views on this. If we are going to use SSL and SSL's built in client authentication, then I would use JAAS to authenticate the user via certificate. I would use LDAP to store and verify certificates and I guess It would be fairly easy to implement. There is already LDAPLoginModule and I implemented LDAPAuthorizationMap - cerificates should not be much harder. The outcome of successful SSL client authentication should be authenticated Subject with all Princiapls set. This I woud put into ConnectionInfo - no need for DN or username. When AMQ has authenticated Subject, it can perform authorization in any of the existing ways. That is, we can safely separate authentication from authorization modules as long as AMQ gets Subject from the authentication process. What I miss here is the point of Subject creation. If we totally rely on SSL for authentication we actually need an implementation of truststore (keystore with trust manager) that would verify client certificate and create login Subject. However, as this process is totally hidden from AMQ (I think that truststore and ConnectionInfo instance are unaware of each other), we would need another store (directory) to temporarrily save Subject and make it avaliable to AMQ once the connection is created. Or, if there is a way for truststore to interact with ConectionInfo instance, this problem is solved. This approach requires implementation of CertificateLoginModule (JAAS) and custom truststore that would use this login module plus some temporary map. What do you thik about this? Regards, NGC Hiram Chirino wrote: > > On 8/1/06, Sepand M <[EMAIL PROTECTED]> wrote: >> Hi all, >> >> So far I've mainly been reading ActiveMQ and making design docs. >> Here's what I've got: >> >> For authorization, my current plan is to just have the client's DN >> replace the user name field in the ConnectionInfo class (how this is >> done is explained below). I want to do this because I don't know much >> about JAAS and I'm trying to avoid writing classes to authorize based >> on DNs. If you guys know this stuff (and you probably do), we could >> change this easily enough. >> >> Here's the rest of my design: >> >> I want to modify SslTransportFactory to use a specific SslContext >> object and allow client's access to its init method so that they can >> set their own key and trust managers. I also want to create new >> SslTransport and SslTransportServer classes. SslTransport will be >> derived from TcpTransport. Its main task will be to replace the user >> name field of ConnectionInfo commands with its socket's DN (this could >> be changed easily to attach the entire certificate to ConnectionInfo >> as a new generic field). SslTransport will also make sure that it uses >> SslSocketFactory's. SslTransportServer will only be there to make sure >> SslSocketFactory's are used. >> >> For my current design that about does it. The proper Brokers and >> plugins (JaasAuthenticationBroker and AuthorizationPlugin) would have >> to be used and the configuration files would need to use the DN as the >> username. >> >> I'm not sure about this, but I think if we were to attach the complete >> certificate and try to do things "properly" we'd need a new >> CertificateAuthenticationBroker and a way for JAAS to authenticate >> that certificate (I'm new to JAAS so I don't know how easy/hard this >> would be). >> > > Sounds spot on! The JAAS part would totally depend on how the JAAS > module that authenticates against a certificate expects to receive the > certificate. Right now our current JAAS login only uses > userid/password, that would need to change for a cert. Anybody know > where we can get a JAAS module that authenticates certificates? > > Regards, > Hiram > >> Any thoughts? >> - Sepand >> >> On 8/1/06, James Strachan <[EMAIL PROTECTED]> wrote: >> > On 8/1/06, ngcutura <[EMAIL PROTECTED]> wrote: >> > > >> > > My JIRA username is 'ngcutura' and I'll be glad to assign LDAP >> Authorization >> > > issue to myself. >> > >> > Great! You're all set now with JIRA karma >> > >> > > I also take this opportunity to remind you of my code >> > > waiting for your review. :-) >> > >> > Thanks for the reminder - will try get there soon :) >> > >> > > I wouldn't mind creating and assigning certificate login but as >> Sepand was >> > > the first to raise it I'd wait for him (a while). >> > >> > Coolio >> > >> > -- >> > >> > James >> > ------- >> > http://radio.weblogs.com/0112098/ >> > >> > > > -- > Regards, > Hiram > > Blog: http://hiramchirino.com > > -- View this message in context: http://www.nabble.com/Creating-a-secure-connection-system-and-using-JMSXUserID-support-tf1956575.html#a5612820 Sent from the ActiveMQ - Dev forum at Nabble.com.
