JBoss Security team,
I would like to start a discussion concerning several possible improvements in jbosssx; they came up while working with JBoss in an environment that has complex security requirements. While all functionality I am suggesting was implemented with custom code, outside jbosssx, I believe it makes sense to generalize it, so other people can take advantage of it.
The changes are related to supporting keystores containing multiple client and server key aliases at JBoss security domain configuration level, and also a way to declaratively enable client authentication at JBoss security domain configuration level, similarly to how client authentication is enabled for a Tomcat connector - I needed this in order to enable client authentication on a secure JRMP connection.
Please let me know if this is a good place to start the discussion.
For simplicity, I could split the thread in several sub-threads, one per each suggested functionality. In the end, if it is decided that the improvements are worth the trouble, I will create the JIRA issues and provide patches and tests. However, I would like to start the discussion here, first, because it is possible that the suggested functionality already exists, and I just simply missed it.
The discussion applies to 4.x series, but I will be more than happy to adapt the patches for 5.x and 6.x, if deemed appropriate.
Please find below:
As mentioned on each individual issue, I have patches that have been tested and are ready to be applied, as soon as the Security team agrees that all (or some) of the above are good ideas. Please let me know, I am standing by.
Ovidiu, most of the code you'll be touching (org.jboss.security.ssl.*, JaasSecurityDomain) is located in the application server security module (trunk/security). However, the SecurityDomain interface is defined in the security-spi project, so the first thing we have to do is to apply all the needed changes to this interface and then cut a release of the security project. After that we can update the AS and perform the remaining changes.
Let me know when you're done so I can cut the release for you.