wood burning stoves 2.0*
The moose likes Security and the fly likes Security in heterogeneous environment? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Security in heterogeneous environment?" Watch "Security in heterogeneous environment?" New topic
Author

Security in heterogeneous environment?

kapil Gupta
Ranch Hand

Joined: Dec 17, 2001
Posts: 89
Hi,
Am building my spring based server application in Java and its client could be a .NET client, RMI client or a Web service. I would like to authenticate the client before it makes call to my APIs. Which security mechanism should I use in this kind of heterogeneous environment?
Thanks,
Kapil
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41125
    
  45
Have a look at JAAS. It's fairly involved, but independent of any access mechanism, which is what you need given the different protocols is use.


Ping & DNS - my free Android networking tools app
kapil Gupta
Ranch Hand

Joined: Dec 17, 2001
Posts: 89
I have some knowledge of JAAS but dont have any idea abt how to propagate security context from RMI client to server on each api call. I searched on the net but couldn't find any example where JAAS is used for RMI clients in a standalone application (Without application server).
Thanks,
Kapil
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41125
    
  45
In your case JAAS would only be used on the server -not on the client-, on the layer where the access modalities (RMI, .Net, WS) no longer matter. Somewhere in your client calls you'll need to incorporate authentication information (most likely username and password). How those are transferred depends on which of the access methods is used. Extract that information, and then use JAAS to deal with it.

Or, instead of using JAAS, compare it to wherever you store user information (DB, LDAP, ...) directly.
Srikanth Shenoy
author
Ranch Hand

Joined: Jan 24, 2004
Posts: 184
Originally posted by kapil Gupta:
I have some knowledge of JAAS but dont have any idea abt how to propagate security context from RMI client to server on each api call. I searched on the net but couldn't find any example where JAAS is used for RMI clients in a standalone application (Without application server).
Thanks,
Kapil


It looks like the client is a "machine" impersonating somebody else

If it is a machine, the generic "standardized" mechanism that works across all the three technologies that you mention is certificate based authentication. (Kerberos tokens also work across all three)

Irrespective of any mechanism for authentication, JAAS can be used on the server as indicated by Ulf.

But if you are deploying the "server" app in a app server, then dont expect JAAS to be very compatible... Until now JAAS is a J2SE mechanism and Until JSR 196 gets thru, JAAS support within app server is going to be flaky...
Also remember that the app server itself is a J2SE application and probably using JAAS or propretiary mechansims to attach a "Subject" to the running thread, just like JAAS does - and the two have conflicts.

Oh and by the way....
You threw me off track with that "security context propagation" thing there.
If it is a machine does that mean your RMI client is already authenticated to somebody else and is now trying to use your server?
Is your "RMI client" really EJBs in another app server?
If that is the case, then the "security context propagation" is standardized thru CSIv2 specification - orginally thru OMG and is mandatory from J2EE 1.3 app servers implementing EJBs.

However CSIv2 is not supported in MS and .NET world.

In other words, you have bunch of choices :-)
[ August 22, 2006: Message edited by: Srikanth Shenoy ]

Srikanth Shenoy
Author of Struts Survival Guide : Basics to Best Practices
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Security in heterogeneous environment?
 
Similar Threads
I need to know what is the different between webservice and corba?
Websphere 6.x.2.x - Can we keep web.xml outside Enterprise Application EAR file.
Dynamic connection mode changing
Why can't I access a file system from EJB?
need clarification (mock question from xyzws)