On Jun 24, 2007, at 12:13 PM, Tero Mäntyvaara wrote:
David Jencks wrote:
Please send to only one list at a time, this is more appropriate for
the user list.
I am really sorry, I will not do that again. :-/
On Jun 21, 2007, at 7:45 AM, Tero Mäntyvaara wrote:
Does latest G support secured (read encrypted) connection between
server
and client?
That depends on the protocol you want to use and possibly on the
version of geronimo you want to use. I'll assume you are using
geronimo 2.0 (trunk)
I was thinking the latest, so it will be then 2.0.
web/https -- yes
jaxrpc/jaxws/soap -- yes
ejb using corba -- yes
ejb using openejb proprietary protocol -- not turned on by default,
and I'm not sure if you can turn it on without extra programming.
I was planning to use encrypted connection between remote EJB-
component
and Java-application. So my alternatives are CORBA and openEJB. I
would
like to use this J2EE compliant CORBA-connection. How has this
en-/decryption been accomplished then?
It's not clear to me if your java-application is the client or server
here, nor if it is running in a javaee container. I'm going to
assume that it is the client and is either a javaee client
application running in geronimo app client container or another
javaee application. It's possible to use corba from a non-javaee
application but you have to set up quite a bit of configuration in code.
I would start by looking at the examples in <geronimo server trunk>/
testsuite/corba-testsuite. These are all set up to use no security,
but you can see which objects you need to configure. On the server
side you need a TSSBeanGBean that specifies the required and allowed
security properties to use the server ejb, and on the client side
there's a corresponding CSSBeanGBean that specifies what the client
is willing to supply.
There are a lot of choices. There are 3 layers involved.
- transport layer. You can specify unprotected, ssl, or ssl with
client certificate. IIRC the client certificate can be used identify
the client.
- AS layer (Application Security??? I can't remember what it stands
for) At this layer you can specify that the client will identify
itself using username/password. (GSSUP)
- SAS layer. (Security Attribute Service) If the client is working
on behalf of a user other than the user who is running the client
itself (for instance if it is a server), you can propagate the actual
user identity using an identity token. However the user will not be
reauthenticated on the server: the server will trust that the client
has already performed proper authentication. Note that this is
reasonable if e.g. you have authenticated the client via a trusted
client certificate and are using ssl transport.
There are some schemas for the css and tss bean configurations, corba-
css-config-2.1.xsd and corba-tss-config-2.1.xsd. If you have trouble
figuring out what to specify, tell us what options you want and we'll
try to help come up with an appropriate configuration.
thanks
david jencks
thanks
david jencks
Tero Mäntyvaara
Tero Mäntyvaara
