users@glassfish.java.net

Re: How to define trust relationship between containers?

From: <glassfish_at_javadesktop.org>
Date: Tue, 10 Jun 2008 14:08:09 PDT

> I'm not sure it JSR289 does address what I'm looking
> for...

the jsr 289 trust config features are not available yet.

> let's say we have this scenario:
> client -> container1 -> container2
>
> client authenticates against container1
> client calls EJB1 in container1
> EJB1 calls EJB2 in container2 using client identity,
> not container1 identity
>
> if I relay on mutual SSL the call EJB1-EJB2 will use
> contianer1-certs not client-cert and therefore be
> executed using the identity from contianer1, not the
> client.
>
> or am I missing something?

the use case you describe was defined by the csiv2 protocol especially for use for ejb invocations. you can see the details in chapter 10 of

http://www.omg.org/docs/formal/08-01-07.pdf

you can see the specific use case detailed in the sample in section 10.7.3

The protocol supports the evaluation of identity assertions made over a mutually authenticated transport.

if you haven't done so already, you might find some of the details presented in the secure interop chapter of the corbas spec informative.

e.g.

Table 10.4 - TSS Interpretation of Client Credentials After Validation
Table 10.18- Interpretation of Compound Mechanism Association Options
(especially rows 7 and 11 of table 10.18)

there is a chance that you will encounter a problem if you try to set up this scenario, but if you follow the suggested configuration, the caller identity should be propagated through to the end container. I

Ron

> Christian
[Message sent by forum member 'monzillo' (monzillo)]

http://forums.java.net/jive/thread.jspa?messageID=279543