Transport Authentication
At the transport level we will support the following mechanisms for establishing and verifying the identity of the client connecting to the server.
Native (SASL) | HTTP |
---|---|
Plain *1 (DONE) | Basic (DONE) |
Digest_MD5 (DONE) | Digest (DONE) |
GSSAPI (WILL BE IN 7.1) | SPNEGO (WILL BE IN 7.1) |
External *1 (WILL BE IN 7.1) | Client Cert (WILL BE IN 7.1) |
AS Security Token *2 | AS Security Token *2 |
*1 Not supplied by the JDK. We will provide a provider.
*2 To be considered at a later point to minimise overhead establishing connection to different nodes.
Notes
The Native connection is using Remoting 3 so will make use of the JDK supplied SASL implementation.
Support for Plain / Basic although should be avoided if Digest_MD5 / Digest can be used will be provided for scenarios where pass through of both username and password to back end user database is required.
A single transport will be required to support multiple mechanisms e.g. The Native API may need to use External authentication for hosts but Digest_MD5 for connections from administrators.
Reference
SASL and SASL External - http://datatracker.ietf.org/doc/rfc4422/
SASL Plain - http://datatracker.ietf.org/doc/rfc4616/
SASL Digest_MD5 - http://datatracker.ietf.org/doc/rfc2831/
SASL GSSAPI - http://datatracker.ietf.org/doc/rfc4752/
Java SASL Documentation - http://download.oracle.com/javase/6/docs/technotes/guides/security/sasl/sasl-refguide.html
HTTP Basic and Digest - http://datatracker.ietf.org/doc/rfc2617/
HTTP SPNEGO - http://datatracker.ietf.org/doc/rfc4559/
Java Secure Programming and SSO - http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/lab/index.html
Comments