Discussions

General J2EE: JAAS architecture help

  1. JAAS architecture help (8 messages)

    Hello and Good Day.

    My team are developing an EAI for our company where our J2EE application will be the main portal for machines to talk to other machines in the company. When 2 machines are talking to each other, authorization and authentication are cruicial in doing transactions. Also ofcourse, the security will have to ensure than the data being sent is safe from hacking, snooping, etc.

    I've been reading on JSSE, SSL and JAAS and JAAS seems to be the best approach for this scenario. But I'm not sure... also, if I use, say, public-key cryptography and digital certificates, wouldn't this greatly affect performance where end-of-day transactions involve thousands of records?

    I'd appreciated help on the matter. As to whether JAAS is really the best way to go and some tips on the best practices on how to implement what I want to do.

    Many Thanks!

    Liam

    Threaded Messages (8)

  2. JAAS architecture help[ Go to top ]

    If you are talking about pure machine-to-machine communication, with no user ids or authorization involved, I suggest you go with a pure JSSE/SSL security mechanism, with client certificates on the initiating machine and some kind of centralized keystore.

    With this approach, you only pay overhead when you initiate the connection. As long as the connection is open, the only additional overhead you pay is encryption (which is a given). JSSE is a given anyway, even if you are using JAAS, but it is the best mechanism for encrypting your data in transit.

    JAAS is useful if you need to authorization as well as authentication (user X has permission to do action Y). In theory you can use any kind of client token for the JAAS authentication, including digital certificates, but I must admit I have never implemented this.
  3. JAAS architecture help[ Go to top ]

    Thanks Paul for your reply!

    I apologize that my above situation wasn't very clear. Yes, the our EAI will be integrating machines, but there will be users logging on to them as well. For example, a user on Machine A tries to make a transaction on Machine B and passes through the EAI to do so. Machine B will have to ensure that the user from Machine A is who he says he is and also has permission to do the desired transaction (Authentication and Authorization).

    It is in my understanding that with JAAS this information will be put in the policy file (instead of a DB). So each machine in the EAI will have their own policy file of users and permissions for that system?

    Also, I understand your point on the signle-signon. So the certificates will only be used once (in opening the connection between two machines), and when that is done it's just encypting and decrypting? What if a hacker tries to insert himself during the connection? Also, would public-key cryptography be too taxing on very large amounts of data? Maybe symetric cryptography would be preferred?

    Thanks for your help again!

    Regards,

    Liam
  4. JAAS architecture help[ Go to top ]

    First off, if you use JSSE/SSL, only the initial connection handshake uses public-key cryptography. Thereafter, the communication uses a (much faster) symmetric key encryption algorithm (typically TripleDES, but it depends on how you have your machines configured). Performance-wise, this is as good as it gets.

    You actually have two authentication issues: user authentication and machine authentication. Machine authentication can be handled with the certificate technique I discussed above. User authentication is a separate issue.

    As for user authentication, JAAS does do what you think it does for authorization, but it does not handle remote authentication, only local authentication. You will need to figure out how to pass the authentication credentials (userid/password or digital certificate) from the remote machine to your EAI machine for authentication against JAAS. The credentials should be passed though an encrypted channel (that is, after you have initiated SSL).

    You will also need to decide how to cache the user credentials on the remote machine, so that they can be retransmitted for each reconnect. Optionally, you can implement some kind of timestamped security token system, and cache the tokens instead.

    All of this gets really complicated, and there are no quick and easy solutions. This represents several months of solid development effort at least. Before you dive in, I suggest you look for a security package that has all the features you need. This is a case where buying an existing package can be better than building everything from scratch.
  5. JAAS architecture help[ Go to top ]

    As a follow up question, is JSSE/SSL still important if the EAI and all it's components are all within the intranet of my company?

    Since it's in an intranet, would an encrypted user-name and password, followed by the actual data be a good enough substitute for SSL in this case?

    If so or if not, please provide any reasons. I just wanna be sure what the best practice for my situation is.

    Thanks!
  6. JAAS architecture help[ Go to top ]

    Please ignore my last post, I have already answered it myself and the answer was quite obvious. =) A more pressing question I have now is:

    I have the following architecture: Client --> Servlet (if Client is a HTTP connection) and Client --> MessageLet (if Client is sending JMS).

    How do I use SSL there? The SSL examples I’ve been doing use SSLServerSocket and Sockets, but data here is transmitted via HTTP or Messages? Also will each client have their own certificate and I have each of them added to my trusted store? If so, how do I give them their certificates?
  7. JAAS architecture help[ Go to top ]

    I have the following architecture: Client --> Servlet (if Client is a HTTP connection) and Client --> MessageLet (if Client is sending JMS). How do I use SSL there?
    For HTTP, use a java.net.URL and java.net.URLConnection that uses the "https:" protocol. The JSSE documentation describes how to enable the "https:" protocol.

    For JMS, use the encryption features of your Messaging System.
    Also will each client have their own certificate and I have each of them added to my trusted store? If so, how do I give them their certificates?
    The passing of user credentials should be independent of encrypting machine-to-machine communication. Given your architecture, the simplest thing to do is pass the user credentials as part of your message.

    I suggest you take a look at the way SOAP and Web Services Security handles these kinds issues. Basically:

    1) The message is in XML, and can be sent over any protocol (HTTP, email, JMS).
    2) The message has two parts: a SOAP header and a SOAP body.
    3) The SOAP body holds the raw data for your message.
    4) The SOAP header holds message "metadata", including things like security credentials.
  8. JAAS architecture help[ Go to top ]

    Thanks a lot Paul for all your help.

    I've gone over your suggestions and have done quite a bit of research on the stuff you suggested. There really is a lot for me to learn here. Thanks again for pointing me in the right direction.
  9. JAAS architecture help[ Go to top ]

    Glad to help. Best of luck :)