Gary Tully created ARTEMIS-5977:
-----------------------------------
Summary: JAAS login module that validates client id against
subject principal
Key: ARTEMIS-5977
URL: https://issues.apache.org/jira/browse/ARTEMIS-5977
Project: Artemis
Issue Type: Improvement
Components: JAAS, MQTT
Affects Versions: 2.53.0
Reporter: Gary Tully
To add proof of possession, such that an authentication token or client cert is
in pinned to a particular client, it is useful if the client id is validated.
consider the mtls external certificate login module, that grants permissions
based on the claims from SAN fields, and the identity from the CN. This could
be augmented to further restrict the access based on the clientId provided on
the connection, such that the cert is bound to a single clientid.
only grant access when the CN matches the clientId.
A secondary login module that just validates the client id provides a great way
to compose this solution.
it probably needs a regex match against the subjects, to deal with plain client
ids or values from cert cn's.
I wonder if it should also match a role principal?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
