dev@glassfish.java.net

distributed security: adding foaf+ssl to glassfish

From: Henry Story <Henry.Story_at_Sun.COM>
Date: Tue, 17 Feb 2009 15:25:51 +0100

Hi folks,

I would like to make it simple for GlassFish developers to develop
apps using the foaf+ssl [1] security protocol we are developing in the
community for distributed open yet secure social networks.

The security piece of foaf+ssl is quite simple as it essentially
relies on client side https certificates - with a twist: the server
does not necessarily reject (correctly) self signed certificates. If
those certificates contain a subjectAltName URI then this can be used
to identify the user by following the method described here:

        http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to

I put together a demon for the Jetty web server using the jsslutils
library.

The following class just sets up the Jetty server:

https://sommer.dev.java.net/svn/sommer/trunk/misc/FoafServer/jetty/src/net/java/dev/sommer/foafserver/jetty/SimpleServer.java

one can then for example catch the X509 certificate in a servlet and
verify that this is indeed tied to the URL it claims to be

https://sommer.dev.java.net/svn/sommer/trunk/misc/FoafServer/jetty/src/net/java/dev/sommer/foafserver/jetty/CheckClient.java

(the dev.java.net server above requires username: guest password guest
or blank)

 From the client's perspective things are very simple. Once the client
has created a certificate using a service such as http://test.foafssl.org/cert/
  (which runs on GlassFish 2 btw), they can then login just by
clicking a button, as you can see by following the instructions there.

So in order to allow people to implement any of the many great
services that distributed identity makes possible [2], I would like to
make it as easy as possible to integrate this into GlassFish apps. It
would be nice then to work with others here to build some sample apps
to test out some of the ideas.

So I am looking for some guidance from security knowledgeable people
here. What do you suggest should be done that could have the biggest
impact and that requires the least amount of work - as I am currently
the only one working on bringing this to GF.

I would be really glad to talk to anyone interested in implementing
some simple apps.


                
                Henry Story
                Social Cloud Architect (really! ;-)
                 http://blogs.sun.com/bblfish

[1] Links to all the resource for this protocol are available
     http://esw.w3.org/topic/foaf+ssl
[3] see http://esw.w3.org/topic/foaf+ssl/UseCases
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.