----- Original Message -----
From: "dferugson" <[EMAIL PROTECTED]>
To: "jBoss Developer" <[EMAIL PROTECTED]>
Sent: Monday, January 22, 2001 2:59 PM
Subject: Re: [jBoss-Dev] Detailed security HowTo committed
> This How To says to run the client with
> -Djava.security.auth.login.config=C:\jboss\client\auth.conf
>
> This assumes that jboss is installed on the client machine.
> If jBoss is on a different machine can I just provide a auth.conf for
> the client
> Or are there substantial other changes to make?
>
If JBoss is on a different machine you would need to bundle many of the files in
the jboss dist client directory in order for the client to access the server(e.g.,
jboss-client,
jnp-client, ...). The login configuration file can be anywhere you want however, as
the value
to java.security.auth.login.config can be a url. You simply need the JBoss
ClientLoginModule
as part of the login config you use.
> Are there any implecations to this JAAS stuff traveling over the wire,
> i.e. passwords etc?
>
Yes. Currently the user name and password are sent in the clear so security is at the
same level as telnet or ftp unless you have managed to setup a secure connection to
JBoss.
By in the clear, I mean the values that you have set in the NameCallback and
PasswordCallback of your application CallbackHandler. If you are encrypting these in
some fashion then clear can be rather opaque.
Ideally though, it would be nice to enhance the login protocol to allow for stronger
per connection establishment of client identity using techniques similar to http digest
authentication or full blown public key exchange. I think that you could do this
yourself
by writing your own client side LoginModule and matching server side LoginModule.
