Menu
▾
▴
RE: [Openjmx-devel] RMI Adaptor client authentication
|
From: Bordet, S. <Sim...@co...> - 2002-02-11 09:57:22
|
Hi, > > One can think that the same should be required for the RMI=20 > adaptor as well, > > but there is no standard here like there is for HTTP. So it=20 > must be done > > via API, for example via an RMIConnector.login() method.=20 > But here it opens > > up a wide hole, since I may want to pass in user name and=20 > password, a X509 > > certificate, and so on. Furthermore it should be done with JAAS. > What about a login(username, password) RMI method, that will=20 > go with SSL and=20 > will be therfore protected.=20 Yes, I was thinking at login(username, password), but it cannot go over = SSL on this one only, unless providing another remote object that act as = authenticator (which may be a good choice).=20 Once you export the RMI adaptor, either you export it over SSL or not. = You cannot have some method yes and some no. > However, I think the best bet is=20 > to use client=20 > authentication with certificates since that should be=20 > transparent and handled=20 > at the SSL Factory level Yes, exactly. But it is really damn slow.=20 So I guess 95% of users would like to have a weak authentication only to = keep out curioses (of course hackers will access eventually, but if = there are hackers around I will go full SSL). So I send user and password in clear, not even base64, just plain text. > Do you want to use JAAS to implement MBeanServer wide=20 > authentication, that=20 > every adaptor will use? That would be the desiderata, but it is not so simple, since I should = have callbacks on client and authentication on server... JAAS is a very base framework, you have to build something around it in = every case. The goal is to build something extendible, powerful, = reusable, simple and fast around JAAS for our Adaptors ;) Anyhow we can go 1.0 and think more about that for 1.1. Simon |
