[jboss-dev-forums] [Security Development] New message: "Re: Option for Client Authentication at JBoss Security Domain Level"

Stefan Guilhen noreply at jboss.org
Wed Jan 6 09:28:19 EST 2010 

JBoss development,

A new message was posted in the thread "Option for Client Authentication at JBoss Security Domain Level":

http://community.jboss.org/message/518531#518531

Author  : Stefan Guilhen
Profile : http://community.jboss.org/people/sguilhen@redhat.com

Message:
--------------------------------------------------------------
I don't see how this is different from setting the *needsClientAuth* property directly in the DomainServerSocketFactory:
 
<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
   name="jboss:service=invoker,type=jrmp,socketType=SSLSocketFactory,wantsClientAuth=true">
   <attribute name="RMIObjectPort">0</attribute>
   <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory
   </attribute>
   <attribute name="RMIServerSocketFactoryBean"
      attributeClass="org.jboss.security.ssl.RMISSLServerSocketFactory"
      serialDataType="javaBean">
     <property name="bindAddress">${jboss.bind.address}</property>
     <property name="securityDomain">java:/jaas/rmi-ssl</property>
     <property name="needsClientAuth">true</property>
     <property name="CiperSuites">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</property>
     <property name="Protocols">SSLv2Hello,SSLv3,TLSv1</property>
   </attribute>
</mbean>

 
The needsClientAuth property is used when creating the SSLServerSocket to indicate that client authentication is required. If the client doesn't provide credentials, the SSL negotiation will fail.
There is also the wantsClientAuth property that can be used to indicate that client authentication will be requested during the negotiation phase. In this case, however, if the client doesn't provide the credentials, the SSL negotiation will continue.
 
Note: in the JRMPInvoker sample above we are using the RMISSLServerSocketFactory. It implements the RMIServerSocketFactory interface and delegates all methods to the DomainServerSocketFactory. So setting the needsClientAuth property there will end up setting the same property in DomainServerSocketFactory.

--------------------------------------------------------------

To reply to this message visit the message page: http://community.jboss.org/message/518531#518531

More information about the jboss-dev-forums mailing list