> I tried to look at the documentation for how to set up a JAAS aware > client, and then looked somewhat into the proxy, jrmp and > SecurityInterceptor code, and guess what, it looks to mee as we are > sending both the principall and the credentials on every invokation, and > also does an authentication (although mostly against the cache) on every > invokation. Is this so? > Yes.
> If it is so, is this really good? > > - Sending a possible clear text password on every invokation? > - Having to digest the credentialls on every invokation? > This is the stateless web model. You either have to invoke transport level encryption, use finer grained encryption on the sensitive info, or use some opaque transient session key created using a public key exchange algorithm. Transport encryption can be expensive, or it can be free if you have a network that supports TLS at the ethernet card level like Intel does. > If I am wrong (I sort of hope I am), could anyone explain to me how the > principal is propagated over rmi from the client. > By infecting the smart proxy layer obtained from the JNDI home lookup with the credential information established by the JAAS login. > Hiram and I have sort of discussed saving a hashed key in the connection > token for JMS which could represent a principal, but would that be good > practice? > David and I have discussed using the JCA facilities for this. Security implementation has to move out of JBossMQ and into the security manager layer. If you want to maintain a usable security model independent of the JBoss server core, then we have to come up with a pluggable model that will work with security through JCA. Let's start discussing this. > For the JVM invoker (which is only ever used inside the same VM as > JBoss9, do you think it would be a good aproximation to say that a > connection and its child object will allways be accessed by the same > context classloader that created it (in that case we could use > ContextClassLocal - yes, same as for ThreadLocal, but with classloader > as hashkey instead)? To do what? _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development
