Hi Wim,
On Thursday 25 January 2001 02:08, Wim De Clercq wrote:
> Would you use SSL with client authentication or would you use SSL
> only for confidentiality (and server authentication)? I assume you
> would not use SSL for authentication.
I don't know.
Do you recommend not to use SSL with client authentication?
Why?
You know, recently I was referred as a "security guy", but frankly
speaking my knowledge in this area is rather poor.
> Also, I can see how you can use an x.509 certificate to *obtain* a
> credential, but I do not understand how it can be used as a
> credential. Getting a credential involves the use of the
> corresponding private key, no?
I mean that credential may contain any security related information,
this is how I understand the definition of credential in JAAS
specification.
> On the systems I have worked on, a SecurityService would hand out a
> token after password verification. The token contains the name of
> the user and an expiration time, all in encrypted form. This token
> is then sent with every request as part of the (IIOP) context
> information. The app server asks the SecurityService to verify the
> token for every operation. This verification only requires a
> decryption of the token to obtain the user name and expiration
> time. When the token is valid, a new token is made with a later
> expiration date and updated in the context.
> This approach is stateless and after a configurable period of user
> inactivity, the token becomes invalid an a new login is required.
> What do you think about this?
I think that it is a good approach.
In this case we should either turn of the "security cache" on the
server (which is easy) or make it time-limited (need more work),
where the time limit is actually added to the expiration time,
but this allows to avoid the requests to SecurityService on each
method call.
Of course, tokens should be passed as credentials in the usual way.
Do you think that it makes sense to implement all components of this
scheme in JBoss?
If I understand correctly, for that we need to implement the Security
Service and a pair of LoginModules (client and server).
Also we need a volunteer ;-)
Probably we should define Security Service API and make it pluggable.
Are there any standard API for that?
Any open source implementations?
Thank you for the good idea.
This is definitely more advanced approach than the current one.
But SSL still would be useful for confidentiality of the data stream.
Regards,
Oleg
