Date: Sat, 3 May 1997 14:05:06 -0700 (PDT)
From: Aaron Hughes <Aaron.Hughes@Ebay>
Subject: Multiple Identity Databases within Java Web Server
To: java-security@java0.javasoft.com
I am implementing a 3-tier system. RMI between client/server.
The middle tier, or application server(s) are going to be managed by a servlet I
am writing which will perform startup, registry, and loadbalancing operations on
these application servers.
Application servers are being started in a seperate process, and JVM, and bind
themselves to the servlet through RMI. I am interested in using DSA to sign the
Remote reference it sends to the servlet to bind/manage. The servlet will have
the public_key and can authenticate the application server, and proceed with
binding it. This is to keep some malicious servers binding to a "name" that is
not a "trusted" application server.
For the Application Server, I read/understand how to change the location of the
identity database, by setting the property in the lib/security/java.security
file. I can create a certificate/key-pair/identity, and sign the Remote
reference using it's private_key.
I can also take the public_key and create a non-signer identity in the
identitydb.obj file that the Java Web Server uses. (Lets assume the Java Web
Server and the Application server have their own JDK's installed)
If I want to authenticate going the other direction, ie. Have my Servlet tell
some other servlet running on a different host to start a new application
server, I can do the same type of work.
*PROBLEM:*
However, I don't see any way that one Servlet can have it's own identity
database and another Servlet another. Since they all live in the same VM. Even
though servlets are added to the Java Web Server via an Admin user, you wouldn't
want the second Servlet to "Masquerade" as the other, having full access to it's
private_key.
*Question:*
Is there any way to accomplish this?
I've investigated:
The JCA API speaks of
public void setSystemScope(IdentityScope scope)
however, in reality its
protected static void setSystemScope(Identity scope)
Thanks in Advance,
Sorry for being long-winded, I wanted to be clear.
- Aaron