Re: Can I get the Session ID from the Security API's?

David Brownell - JavaSoft (db@doppio)
Thu, 20 Feb 1997 10:59:43 -0800

Date: Thu, 20 Feb 1997 10:59:43 -0800
From: db@doppio (David Brownell - JavaSoft)
Message-Id: <199702201859.KAA15238@argon.eng.sun.com>
To: Matthew_Abraham@clrmnt.com, java-security@java
Subject: Re: Can I get the Session ID from the Security API's?

> To: java-security <java-security@java>
> From: Matthew Abraham <Matthew_Abraham@clrmnt.com>
> Date: 19 Feb 97 16:10:18 EDT
> Subject: Can I get the Session ID from the Security API's?
>
> I am new to the Security API's so I apologize in advance if this is a
> basic question. I assume that through the Security API's you are able to
> establish an authenticated connection between the client and server.

JavaSoft has an API for the "Secure Sockets Layer" (SSL, version 3).

It's currently in the "sun.security.ssl" package, which is not part of the
JDK 1.1 release. It relies on the X.509 package ("sun.security.x509")
which _is_ found in JDK 1.1 ... keep in mind that such "sun.*" packages
have a different support status than the APIs in the "java.*" namespace.
Those package names will probably change as their support status changes.

For more detailed information on this, you'll want to see the upcoming
Beta release of the "Java Web Server". This should be available in a few
weeks through this URL:

http://java.sun.com/products/java-server

This SSL software is being used in other JavaSoft products too; for
example, the HotJava web browser.

> Assuming this is true, I also assume a session ID unique to that
> connection is also generated.

SSLv3 supports the notion of sessions. However, sessions are not
unique to a connection; two connections can share the same session,
for example. This is a useful feature.

> So my question is this:
>
> Is there any way to access the value of this session ID and associate it
> with a username which can then be used to identify access rights? If it
> can't be done through the Security API's could you give me some advice
> as to where I can go look to get this information?

The current version of the SSL APIs does indeed provide this capability.
However, that's not yet available at the URL listed above, you'll need
to wait for the Beta release to get this feature.

Basically it'll work like this:

SSLSocket s = ...;
Session sess = s.getSession ();

Then, either use a peer identity which was authenticated by SSL:

X509Cert chain [] = sess.getPeerCertificateChain ();
X500Name dn = chain [0].getSubjectName ();

Or layer your own identification/authentication protocol over SSL,
and associate such an identity with the session yourself:

Hashtable info = ...;
MyUserData userData = (MyUserData) info.get (sess);

In either case, once you have data about the user at the other end of
the SSL connection, you have the basic tool needed to do access control
of a variety of types.

We'll be pleased to get your feedback on these Beta APIs when you
have had a chance to look at them, early next month.

- Dave