Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Communications Framework (ECF) » Security and Remote Services
Security and Remote Services [message #619807] Tue, 04 December 2007 22:10 Go to next message
Shawn Hampton is currently offline Shawn HamptonFriend
Messages: 1
Registered: July 2009
Junior Member
I am currently looking into using the ECF RemoteServices API. I have a
test client/server application up and running. Both using OSGi and
Eclipse RCP and using the latest version of ECF from the Europa
discovery site.

I am now looking at adding security to the application. I have simple
user/password authentication working using an IConnectHandlerPolicy on
the server and an IConnectContext on the client.

Once the client calls .connect(), he/she is authenticated and connected
for a session. What I need now is for the remote service to be able to
access this connection information e.g. I need the username associated
with the call.

Can someone give me some insight as to how to handle this? Or at least
a direction in which to look?

Thanks,

Shawn Hampton
Sr. Research Programmer
National Center for Supercomputing Applications
Re: Security and Remote Services [message #619808 is a reply to message #619807] Fri, 07 December 2007 00:34 Go to previous messageGo to next message
Scott Lewis is currently offline Scott LewisFriend
Messages: 975
Registered: July 2009
Senior Member
Hi Shawn,

Shawn Hampton wrote:
> I am currently looking into using the ECF RemoteServices API. I have a
> test client/server application up and running. Both using OSGi and
> Eclipse RCP and using the latest version of ECF from the Europa
> discovery site.

Cool! Would you be able/willing to allow us to try this test client and
server application? What does it do?

>
> I am now looking at adding security to the application. I have simple
> user/password authentication working using an IConnectHandlerPolicy on
> the server and an IConnectContext on the client.
>
> Once the client calls .connect(), he/she is authenticated and connected
> for a session. What I need now is for the remote service to be able to
> access this connection information e.g. I need the username associated
> with the call.
>
> Can someone give me some insight as to how to handle this? Or at least
> a direction in which to look?


One way to go is to use JAAS (Java Authentication and Authorization
service). You can use the JAAS login process to associate Principals
with an authenticated Subject (user). These principals can have
permissions associated with them that can be checked at runtime.

This will probably be made more easy/natural for Equinox-based
applications (e.g. RCP apps, Equinox server apps, etc) in the near
future (3.4/Ganymede) because of the Equinox security work:

http://www.eclipse.org/equinox/incubator/security/

We (ECF) are participating some in this work (at least we're talking
with the folks doing the integration). We expect to take advantage of
the JAAS integration work in ECF and ECF-based applications...note that
ECF IDs implement the java.security.Principal interface.

I know this isn't very much at this point (and apologize for that), but
the JAAS/Equinox integration will help. Of course any contributions or
thoughts that you might have would also be welcome.

Scott
Re: Security and Remote Services [message #619820 is a reply to message #619808] Fri, 14 December 2007 10:14 Go to previous messageGo to next message
Christian Campo is currently offline Christian CampoFriend
Messages: 590
Registered: July 2009
Senior Member
Hi Scott,

can a single user specify multiple ECF IDs at the same time ? If not would you not rather associate
a Subject with an ECF ID ?

just curious....

- christian campo

Scott Lewis schrieb:
> Hi Shawn,
>
> Shawn Hampton wrote:
>> I am currently looking into using the ECF RemoteServices API. I have
>> a test client/server application up and running. Both using OSGi and
>> Eclipse RCP and using the latest version of ECF from the Europa
>> discovery site.
>
> Cool! Would you be able/willing to allow us to try this test client and
> server application? What does it do?
>
>>
>> I am now looking at adding security to the application. I have simple
>> user/password authentication working using an IConnectHandlerPolicy on
>> the server and an IConnectContext on the client.
>>
>> Once the client calls .connect(), he/she is authenticated and
>> connected for a session. What I need now is for the remote service to
>> be able to access this connection information e.g. I need the username
>> associated with the call.
>>
>> Can someone give me some insight as to how to handle this? Or at
>> least a direction in which to look?
>
>
> One way to go is to use JAAS (Java Authentication and Authorization
> service). You can use the JAAS login process to associate Principals
> with an authenticated Subject (user). These principals can have
> permissions associated with them that can be checked at runtime.
>
> This will probably be made more easy/natural for Equinox-based
> applications (e.g. RCP apps, Equinox server apps, etc) in the near
> future (3.4/Ganymede) because of the Equinox security work:
>
> http://www.eclipse.org/equinox/incubator/security/
>
> We (ECF) are participating some in this work (at least we're talking
> with the folks doing the integration). We expect to take advantage of
> the JAAS integration work in ECF and ECF-based applications...note that
> ECF IDs implement the java.security.Principal interface.
>
> I know this isn't very much at this point (and apologize for that), but
> the JAAS/Equinox integration will help. Of course any contributions or
> thoughts that you might have would also be welcome.
>
> Scott
Re: Security and Remote Services [message #619822 is a reply to message #619820] Fri, 14 December 2007 18:50 Go to previous message
Scott Lewis is currently offline Scott LewisFriend
Messages: 975
Registered: July 2009
Senior Member
Hi Christian,

Christian Campo wrote:
> Hi Scott,
>
> can a single user specify multiple ECF IDs at the same time ?


Yes, they surely can. Specifically, an authenticated JAAS Subject can
have multiple Principals associated with it upon login/authentication
(via JAAS...this has nothing to do with ECF per se). The ECF ID
interface (org.eclipse.ecf.core.identity.ID) extends
java.security.Principal, meaning that all ECF IDs are also potentially
Principals associated with a JAAS Subject. They would then be available
via methods like subject.getPrincipals() and/or getPrincipals(Class c).

One thing this depends upon is the ability for plugins (like ECF or
others) add Principals to an authenticated Subject during
login....hopefully without writing a separate LoginModule. There is an
Equinox security incubator bug here to that effect:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=200299


>If not
> would you not rather associate
> a Subject with an ECF ID ?


This is exactly the intention/design...by using the Principal interface
as super interface for IDs, and thereby enabling using
Subject.getPrincipals().

Note also that ECF's Namespace extension point allows plugins to create
their own Namespaces (Namespaces are factories for creating
Principals/IDs of a certain type/types).

Scott


>
> just curious....
>
> - christian campo
>
> Scott Lewis schrieb:
>> Hi Shawn,
>>
>> Shawn Hampton wrote:
>>> I am currently looking into using the ECF RemoteServices API. I have
>>> a test client/server application up and running. Both using OSGi and
>>> Eclipse RCP and using the latest version of ECF from the Europa
>>> discovery site.
>>
>> Cool! Would you be able/willing to allow us to try this test client
>> and server application? What does it do?
>>
>>>
>>> I am now looking at adding security to the application. I have
>>> simple user/password authentication working using an
>>> IConnectHandlerPolicy on the server and an IConnectContext on the
>>> client.
>>>
>>> Once the client calls .connect(), he/she is authenticated and
>>> connected for a session. What I need now is for the remote service
>>> to be able to access this connection information e.g. I need the
>>> username associated with the call.
>>>
>>> Can someone give me some insight as to how to handle this? Or at
>>> least a direction in which to look?
>>
>>
>> One way to go is to use JAAS (Java Authentication and Authorization
>> service). You can use the JAAS login process to associate Principals
>> with an authenticated Subject (user). These principals can have
>> permissions associated with them that can be checked at runtime.
>>
>> This will probably be made more easy/natural for Equinox-based
>> applications (e.g. RCP apps, Equinox server apps, etc) in the near
>> future (3.4/Ganymede) because of the Equinox security work:
>>
>> http://www.eclipse.org/equinox/incubator/security/
>>
>> We (ECF) are participating some in this work (at least we're talking
>> with the folks doing the integration). We expect to take advantage of
>> the JAAS integration work in ECF and ECF-based applications...note
>> that ECF IDs implement the java.security.Principal interface.
>>
>> I know this isn't very much at this point (and apologize for that),
>> but the JAAS/Equinox integration will help. Of course any
>> contributions or thoughts that you might have would also be welcome.
>>
>> Scott
Previous Topic:skype and linux
Next Topic:Attending today's conference call: Tues, Dec 18, 2007 2030 UTC
Goto Forum:
  


Current Time: Fri Dec 19 10:59:19 GMT 2014

Powered by FUDForum. Page generated in 0.01769 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software