• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Security in heterogeneous environment?

 
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
Am building my spring based server application in Java and its client could be a .NET client, RMI client or a Web service. I would like to authenticate the client before it makes call to my APIs. Which security mechanism should I use in this kind of heterogeneous environment?
Thanks,
Kapil
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Have a look at JAAS. It's fairly involved, but independent of any access mechanism, which is what you need given the different protocols is use.
 
kapil Gupta
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have some knowledge of JAAS but dont have any idea abt how to propagate security context from RMI client to server on each api call. I searched on the net but couldn't find any example where JAAS is used for RMI clients in a standalone application (Without application server).
Thanks,
Kapil
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In your case JAAS would only be used on the server -not on the client-, on the layer where the access modalities (RMI, .Net, WS) no longer matter. Somewhere in your client calls you'll need to incorporate authentication information (most likely username and password). How those are transferred depends on which of the access methods is used. Extract that information, and then use JAAS to deal with it.

Or, instead of using JAAS, compare it to wherever you store user information (DB, LDAP, ...) directly.
 
author
Posts: 184
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by kapil Gupta:
I have some knowledge of JAAS but dont have any idea abt how to propagate security context from RMI client to server on each api call. I searched on the net but couldn't find any example where JAAS is used for RMI clients in a standalone application (Without application server).
Thanks,
Kapil



It looks like the client is a "machine" impersonating somebody else

If it is a machine, the generic "standardized" mechanism that works across all the three technologies that you mention is certificate based authentication. (Kerberos tokens also work across all three)

Irrespective of any mechanism for authentication, JAAS can be used on the server as indicated by Ulf.

But if you are deploying the "server" app in a app server, then dont expect JAAS to be very compatible... Until now JAAS is a J2SE mechanism and Until JSR 196 gets thru, JAAS support within app server is going to be flaky...
Also remember that the app server itself is a J2SE application and probably using JAAS or propretiary mechansims to attach a "Subject" to the running thread, just like JAAS does - and the two have conflicts.

Oh and by the way....
You threw me off track with that "security context propagation" thing there.
If it is a machine does that mean your RMI client is already authenticated to somebody else and is now trying to use your server?
Is your "RMI client" really EJBs in another app server?
If that is the case, then the "security context propagation" is standardized thru CSIv2 specification - orginally thru OMG and is mandatory from J2EE 1.3 app servers implementing EJBs.

However CSIv2 is not supported in MS and .NET world.

In other words, you have bunch of choices :-)
[ August 22, 2006: Message edited by: Srikanth Shenoy ]
 
Not looking good. I think this might be the end. Wait! Is that a tiny ad?
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic