Sun
 » 
Sun - Jini
 » 
Sun - Jini-Users

Delegation with SSL

View: New views
2 Messages — Rating Filter:   Alert me  

Delegation with SSL

by Esmond Pitt FACS :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

(1st in a series of questions.)

The Javadoc for SslServerEndpoint says that Delegation.YES is supported
'trivially, for anonymous clients'.

Surely:

(a) that should be 'non-anonymous', not 'anonymous'?

(b) 'trivially' needs expanding on?

In practice clearly 'trivially' means that the server can execute local code
'as' the client subject, but not remote methods that need client
authentication. Which is what I expected, SSL being a PKI-based
cryptosystem. But it's not what the Javadoc actually says.

EJP

--------------------------------------------------------------------------
Getting Started:     http://www.jini.org/wiki/Category:Getting_Started
Community Web Site:  http://jini.org
jini-users Archive:  http://archives.java.sun.com/archives/jini-users.html
Unsubscribing:       email "signoff JINI-USERS"  to listserv@...

Re: Delegation with SSL

by Peter Jones - JavaSoft East :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Sat, Mar 14, 2009 at 12:41:45AM -0600, Esmond Pitt wrote:
> The Javadoc for SslServerEndpoint says that Delegation.YES is supported
> 'trivially, for anonymous clients'.
>
> Surely:
>
> (a) that should be 'non-anonymous', not 'anonymous'?

No, "anonymous" was the intent.

> (b) 'trivially' needs expanding on?
>
> In practice clearly 'trivially' means that the server can execute local code
> 'as' the client subject, but not remote methods that need client
> authentication. Which is what I expected, SSL being a PKI-based
> cryptosystem. But it's not what the Javadoc actually says.

The Delegation constraint is specifically about the latter case you
mention above: the server being able to authenticate as the
authenticated client when making its own further remote invocation.
(Without delegation but with client authentication, the server can
"doAs" the resulting client subject, such as for permission checks,
but that subject does not contain credentials for authenticating as
the client in another remote invocation.)

The JERI SSL endpoints do not support delegation in any useful
(i.e. non-trivial) way.  They do "support" the Delegation.YES
constraint-- in that an UnsupportedConstraintException is not thrown--
in the trivial case that there is no client authentication (i.e. the
client is anonymous), because in that case there is nothing to do.
(Only the Kerberos endpoints in the starter kit support delegation
usefully.)

-- Peter

--------------------------------------------------------------------------
Getting Started:     http://www.jini.org/wiki/Category:Getting_Started
Community Web Site:  http://jini.org
jini-users Archive:  http://archives.java.sun.com/archives/jini-users.html
Unsubscribing:       email "signoff JINI-USERS"  to listserv@...
Free embeddable forum powered by Nabble Forum Help