Re: Multiple Identity Databases within Java Web Server

David Brownell (db@shorter)
Mon, 5 May 1997 14:45:24 -0700

Date: Mon, 5 May 1997 14:45:24 -0700
From: db@shorter (David Brownell)
Message-Id: <199705052145.OAA22751@argon.eng.sun.com>
To: java-security@java, Aaron.Hughes@Ebay
Subject: Re: Multiple Identity Databases within Java Web Server

> From Aaron.Hughes@Ebay Sat May 3 14:04:50 1997
> Date: Sat, 3 May 1997 14:05:06 -0700 (PDT)
> From: Aaron Hughes <Aaron.Hughes@Ebay>
> Subject: Multiple Identity Databases within Java Web Server
> To: java-security@java
> cc: david.brownell@Eng
> X-Sun-Text-Type: ascii
>
> I am implementing a 3-tier system. RMI between client/server.

Between which client and server -- tiers 1 and 2, or tiers 2 and 3?

> The middle tier, or application server(s) are going to be managed by a servlet I
> am writing which will perform startup, registry, and loadbalancing operations on
> these application servers.

Sounds like HTTP is also used between tiers 1 and 2, regardless of whether
RMI is also used there or not.

> Application servers are being started in a seperate process, and JVM, and bind
> themselves to the servlet through RMI. I am interested in using DSA to sign the
> Remote reference it sends to the servlet to bind/manage. The servlet will have
> the public_key and can authenticate the application server, and proceed with
> binding it. This is to keep some malicious servers binding to a "name" that is
> not a "trusted" application server.

Sounds to me like you need to see RMI's lack of security be addressed!!

> For the Application Server, I read/understand how to change the location of the
> identity database, by setting the property in the lib/security/java.security
> file. I can create a certificate/key-pair/identity, and sign the Remote
> reference using it's private_key.
>
> I can also take the public_key and create a non-signer identity in the
> identitydb.obj file that the Java Web Server uses. (Lets assume the Java Web
> Server and the Application server have their own JDK's installed)

I actually dislike this assumption quite a lot, but it is an effective one
to be making for the moment. Multiuser systems ought to be able to have a
single set of executables, and have per-user (and probably per-application,
and even per-instance) configuration ... just like for non-Java apps.

> If I want to authenticate going the other direction, ie. Have my Servlet tell
> some other servlet running on a different host to start a new application
> server, I can do the same type of work.
>
> *PROBLEM:*
> However, I don't see any way that one Servlet can have it's own identity
> database and another Servlet another. Since they all live in the same VM. Even
> though servlets are added to the Java Web Server via an Admin user, you wouldn't
> want the second Servlet to "Masquerade" as the other, having full access to it's
> private_key.
>
> *Question:*
> Is there any way to accomplish this?

Not today. What you really need is access control for the private keys,
and there is neither mechanism nor policy in this area. It's one of my
pet issues, but for now I'm just assuming that servlets should not get
access to the keys which are actually protected (via the SSL keystore, which
passphrase-encrypts them) unless they're explicitly handed to them by
some code which is allowed to get the keys.

You'll notice that applets have the same class of problems.

- Dave

> I've investigated:
> The JCA API speaks of
> public void setSystemScope(IdentityScope scope)
>
> however, in reality its
> protected static void setSystemScope(Identity scope)
>
>
> Thanks in Advance,
> Sorry for being long-winded, I wanted to be clear.
> - Aaron
>