Thank you Jeff: To be clear, the difficulty is primarily when *independent* programs access a single keystore (typical is Federated Identity Systems).
1. For access within a single application, your approach sounds good. Of course, threading will be an issue so a singleton style lock will be necessary while updating the keystore. 2. Agreed --andy Jeff Greif wrote: > Varous higher-performance alternatives: > > 1. Make keystore changes through a servlet or web service, which > notifies the authentication machinery as well as writing the file. > The notification could contain the new cert or the deleted user-id so > the file need not be re-read. > > 2. If you know you're not going to delete authorized clients, check > for a changed keystore only on authetication failure, rather than on > every request. > > Jeff > > On 1/23/07, Andy McMurry <[EMAIL PROTECTED]> wrote: >> FYI: We looked into dynamic keystore loading, it is quite difficult to >> do at well defined intervals . >> IMHO, reloading the keystore before each query is algorithmically >> expensive. >> >> --andy >> >> Ruchith Fernando wrote: >> > Hi, >> > >> > I'm not sure whether we can integrate this as a part of the standard >> > impl. If we try to do this we will have to keep reloading the keystore >> > each time before we query it. >> > >> > You can always extend Merlin to create your own implementation with >> > the additional functionality. :-) >> > >> > Thanks, >> > Ruchith >> > >> > On 1/20/07, José Ventura <[EMAIL PROTECTED]> wrote: >> >> I got wss4j to work with encryption and signatures. My client knows >> the >> >> server's public certificate. My server knows the client's public >> >> certificate, and will reject requests originating from non-trusted >> >> clients. >> >> >> >> However I want to dynamically add more clients -- I was thinking of >> >> using >> >> the Java keystore API to read the keystore file, insert a new >> >> certificate >> >> programatically, and then write it back. This way I'd be able to >> accept >> >> requests from other clients as long as I add their certificates >> >> "pseudo-manually" (upload the certificate through an html form, so >> >> that the >> >> operator does not need shell access to the server). >> >> >> >> I didn't want to have to restart the server for that, though... and, >> >> looking >> >> at the Merlin and AbstractCrypto code, it seems they only ever read >> the >> >> keystore file upon instantiation. Has anyone thought of a "reload" >> >> method >> >> that would cause them to read the file again? >> >> >> >> Any suggestions are welcome! >> >> >> >> []'s >> >> >> >> >> > >> > >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
