From: <sco...@jb...> - 2006-01-20 22:11:45
|
So in looking at a request to be able to use the ssl client cert as the caller identity for an ejb as can be done for CLIENT_CERT authentication in the web tier, the current detached invoker framework is too detached from the transport to be able to do this. For the JRMP implementation I have no access to the underlying socket (at least that I have been able to find via standard interfaces), and thus have no ability to interact with the ssl session to obtain the session id, client cert, etc. I have modified our pooled invoker to add the ssl session id to each invocation because there we do have access to the socket. A custom ssl client/server socket factory provide a mapping between the session id and the ssl certs, and a server side interceptor would have to pick this up as the caller identity for authentication via the JAAS layer. The general issue is that there needs to be some hook for transport metadata to be added to the invocation payload. Once I complete the pooled invoker changes and add a testcase I need this ported to the remoting framework as an ejb3 testcase to validate we can support this. More generally do we have a hook for being able to push transport metadata to the message invocation payload? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3918767#3918767 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3918767 |