[JBoss JIRA] Created: (JBREM-902) InvocationRequest need SSLSession for certificates and principal in sslsocket transport
11:31 p.m.
InvocationRequest need SSLSession for certificates and principal in sslsocket transport
---------------------------------------------------------------------------------------
Key: JBREM-902
URL: http://jira.jboss.com/jira/browse/JBREM-902
Project: JBoss Remoting
Issue Type: Feature Request
Security Level: Public (Everyone can see)
Components: security
Reporter: ya xiang
In a SSL context, there is a real need for check principal and certificates.
There are ways to do this, but current jboss remoting not provide it, just provider socket
remote address as sessionId. seems not enough.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:39 p.m.
New subject: [JBoss JIRA] Resolved: (JBREM-902) InvocationRequest need SSLSession for certificates and principal in sslsocket transport
[ http://jira.jboss.com/jira/browse/JBREM-902?page=all ]
ya xiang resolved JBREM-902.
----------------------------
Resolution: Done
I checkouted sessionId and requestPalyload, and think it's safe processing in later.
So I patch this code:
676:
- if (req.getRequestPayload() == null)
- req.setRequestPayload(new HashMap());
- req.getRequestPayload().put(Remoting.CLIENT_ADDRESS, clientAddress);
+++
try
{
// Make absolutely sure thread interrupted is cleared.
Thread.interrupted();
if(trace) { log.trace("about to call " + invoker +
".invoke()"); }
Map payload = req.getRequestPayload();
if (payload == null) {
payload = new HashMap();
req.setRequestPayload(payload);
}
payload.put(Remoting.CLIENT_ADDRESS, clientAddress);
if (socketWrapper.socket instanceof SSLSocket)
payload.put("SSLSession", ((SSLSocket)
socketWrapper.getSocket()).getSession());
// call transport on the subclass, get the result to handback
resp = invoker.invoke(req);
if(trace) { log.trace(invoker + ".invoke() returned " + resp); }
}
catch (Throwable ex)
{
resp = ex;
isError = true;
if (trace) log.trace(invoker + ".invoke() call failed", ex);
}finally{
req.getRequestPayload().remove("SSLSession");
}
And in server invoker handlers, maybe write this code:
public Object invoke(InvocationRequest invocation) throws Throwable {
SSLSession session=
(SSLSession)invocation.getRequestPayload().get("SSLSession");
System.out.println(session);
System.out.println(session.getPeerPrincipal());
return "success";
}
I run an example, seem to work fine.
Cheers.
InvocationRequest need SSLSession for certificates and principal in
sslsocket transport
---------------------------------------------------------------------------------------
Key: JBREM-902
URL: http://jira.jboss.com/jira/browse/JBREM-902
Project: JBoss Remoting
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: security
Reporter: ya xiang
In a SSL context, there is a real need for check principal and certificates.
There are ways to do this, but current jboss remoting not provide it, just provider
socket remote address as sessionId. seems not enough.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:54 p.m.
New subject: [JBoss JIRA] Reopened: (JBREM-902) InvocationRequest need SSLSession for certificates and principal in sslsocket transport
[ http://jira.jboss.com/jira/browse/JBREM-902?page=all ]
ya xiang reopened JBREM-902:
----------------------------
But this solution not take care of SSLSession propagating, for instance, how to get it
from a POJO service object.
Before, In RMI over SSL, I got the SSLSession by this way:
ids=SSLContext.getDefault().getIds()
session=pseudoIds.find(getRemoteClientAddress())
In fact, In Remoting case, the means is still available.
And more, Remoting seems more flex, so in POJO senario, the sesssion have to be save for
using later.
So I think a ThreadLocal<SSLSession> static memeber and method getSession not a bad
idea.
InvocationRequest need SSLSession for certificates and principal in
sslsocket transport
---------------------------------------------------------------------------------------
Key: JBREM-902
URL: http://jira.jboss.com/jira/browse/JBREM-902
Project: JBoss Remoting
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: security
Reporter: ya xiang
In a SSL context, there is a real need for check principal and certificates.
There are ways to do this, but current jboss remoting not provide it, just provider
socket remote address as sessionId. seems not enough.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:12 p.m.
New subject: [JBoss JIRA] Closed: (JBREM-902) InvocationRequest need SSLSession for certificates and principal in sslsocket transport
[ http://jira.jboss.com/jira/browse/JBREM-902?page=all ]
ya xiang closed JBREM-902.
--------------------------
Resolution: Done
@see http://jira.jboss.com/jira/browse/JBAS-2778(jboss AS)
which use HandshakeCompletedListener for this case. of cause can accept it. why not?:)
InvocationRequest need SSLSession for certificates and principal in
sslsocket transport
---------------------------------------------------------------------------------------
Key: JBREM-902
URL: http://jira.jboss.com/jira/browse/JBREM-902
Project: JBoss Remoting
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: security
Reporter: ya xiang
In a SSL context, there is a real need for check principal and certificates.
There are ways to do this, but current jboss remoting not provide it, just provider
socket remote address as sessionId. seems not enough.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:15 a.m.
New subject: [JBoss JIRA] Reopened: (JBREM-902) InvocationRequest need SSLSession for certificates and principal in sslsocket transport
[ http://jira.jboss.com/jira/browse/JBREM-902?page=all ]
ya xiang reopened JBREM-902:
----------------------------
indeed, the handshakelistener style process not fit some case. especial future in NIO
transports case.
As I before mentioned, we can search the ssl session id by client address, this function
provided by
http://jira.jboss.com/jira/browse/JBREM-758
But in Pojo case, maybe you don't want to pass the arguments to implementation, like
this:
void doService(ClientAddress, otherBizArguments), BTW, ICE use this style. most equivent
to
void doSevice(RequestPayload, otherBizArguments);
OK, In pojo: we just do it like this:
void doService(BizArguments);
so if need client credientals, we must handle it at invoker class and and find seesionid
and then put it to threadlocal.
so I advice, just do it and server thread, put ssl session to threadlocal, and set it
defualt as default behaviour, (jbossAS use it too). OK, if someone not need it, just
config it like CLIENT_ADDRESS configing.
InvocationRequest need SSLSession for certificates and principal in
sslsocket transport
---------------------------------------------------------------------------------------
Key: JBREM-902
URL: http://jira.jboss.com/jira/browse/JBREM-902
Project: JBoss Remoting
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: security
Reporter: ya xiang
In a SSL context, there is a real need for check principal and certificates.
There are ways to do this, but current jboss remoting not provide it, just provider
socket remote address as sessionId. seems not enough.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:08 a.m.
New subject: [JBoss JIRA] (JBREM-902) InvocationRequest need SSLSession for certificates and principal in sslsocket transport
[
https://issues.jboss.org/browse/JBREM-902?page=com.atlassian.jira.plugin....
]
Ron Sigal closed JBREM-902.
---------------------------
Resolution: Rejected
InvocationRequest need SSLSession for certificates and principal in
sslsocket transport
---------------------------------------------------------------------------------------
Key: JBREM-902
URL: https://issues.jboss.org/browse/JBREM-902
Project: JBoss Remoting
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: security
Reporter: Xiang Qinxian
In a SSL context, there is a real need for check principal and certificates.
There are ways to do this, but current jboss remoting not provide it, just provider
socket remote address as sessionId. seems not enough.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4790
days inactive
6170
days old
5 comments
2 participants
participants (2)
-
Ron Sigal (Closed) (JIRA) -
ya xiang (JIRA)