Monday, June 06, 2005

Using RMI over SSL authentication for application-level access control

Using RMI over SSL authentication for application-level access control

Sun provides support for running RMI over SSL in its Java2 platforms using a custom RMISocketFactory. In cases when applications need to provide their own fine-grained access control, it is useful to obtain access to the Java security principal (java.security.Principal) that was SSL authenticated.

The Java2 SSLSocket class provides a getSession() method which can be used to obtain the SSL principal who was authenticated. Unfortunately, by the time the RMI server method is invoked, the socket used to read the remote invocation parameters has been hidden by the RMI implementation.

No comments: