Hi, Am building my spring based server application in Java and its client could be a .NET client, RMI client or a Web service. I would like to authenticate the client before it makes call to my APIs. Which security mechanism should I use in this kind of heterogeneous environment? Thanks, Kapil
I have some knowledge of JAAS but dont have any idea abt how to propagate security context from RMI client to server on each api call. I searched on the net but couldn't find any example where JAAS is used for RMI clients in a standalone application (Without application server). Thanks, Kapil
Joined: Mar 22, 2005
In your case JAAS would only be used on the server -not on the client-, on the layer where the access modalities (RMI, .Net, WS) no longer matter. Somewhere in your client calls you'll need to incorporate authentication information (most likely username and password). How those are transferred depends on which of the access methods is used. Extract that information, and then use JAAS to deal with it.
Or, instead of using JAAS, compare it to wherever you store user information (DB, LDAP, ...) directly.
Originally posted by kapil Gupta: I have some knowledge of JAAS but dont have any idea abt how to propagate security context from RMI client to server on each api call. I searched on the net but couldn't find any example where JAAS is used for RMI clients in a standalone application (Without application server). Thanks, Kapil
It looks like the client is a "machine" impersonating somebody else
If it is a machine, the generic "standardized" mechanism that works across all the three technologies that you mention is certificate based authentication. (Kerberos tokens also work across all three)
Irrespective of any mechanism for authentication, JAAS can be used on the server as indicated by Ulf.
But if you are deploying the "server" app in a app server, then dont expect JAAS to be very compatible... Until now JAAS is a J2SE mechanism and Until JSR 196 gets thru, JAAS support within app server is going to be flaky... Also remember that the app server itself is a J2SE application and probably using JAAS or propretiary mechansims to attach a "Subject" to the running thread, just like JAAS does - and the two have conflicts.
Oh and by the way.... You threw me off track with that "security context propagation" thing there. If it is a machine does that mean your RMI client is already authenticated to somebody else and is now trying to use your server? Is your "RMI client" really EJBs in another app server? If that is the case, then the "security context propagation" is standardized thru CSIv2 specification - orginally thru OMG and is mandatory from J2EE 1.3 app servers implementing EJBs.
However CSIv2 is not supported in MS and .NET world.
In other words, you have bunch of choices :-) [ August 22, 2006: Message edited by: Srikanth Shenoy ]