[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[equinox-dev] Client side security store


I am currently working on creating an Eclipse RCP front end for the J2EE
Adventure Builder Blueprint application
(http://java.sun.com/blueprints). I am doing this work with Nick Edgar
and Pascal Rapicault in preparation for a joint tutorial at the JAOO
conference next week.

During this work we discussed client side security. Jeff McAffer got
involved in the discussion, and he asked me to post some of my thoughts
on this mailing list :)

As a start I must say that I am a "J2EE person", i.e. I work for a J2EE
vendor and most of my work has been in this field. I have some (minor)
experience with Eclipse RCP, and working with Nick and Pascal really got
me hooked on making "fat clients"/Smart Clients for J2EE again.

Well, on to the subject:

Being from the J2EE world I am used to having support for security
functionality in the framework and tools. I can e.g. configure key and
trust stores for SSL communication, the browser can cache my username
and password when I log in to a web application and so on. When I want
my user interface to be a Smart Client I am more of less on my own.

Therefore, in out opinion Eclipse RCP would benefit greatly from have
some kind of security housekeeping support. In simple scenarios you have
to deal with user names and passwords (for different users and different
back end connections). Often you cannot simply cache them on the
connection but have to cache them locally in your program.  
Furthermore, in Denmark digital signatures play a major role (we have a
national system where every citizens can get a digital signature which
can be used when communicating with the government (tax, health care and
so on)) and I expect it to be just as big in other countries. While
digital signatures can be handled pretty easily on the server they are
kind of hard to manage on the client side (you have to install them in
your trust store and so on).

Based on this we think that it would be really great if Eclipse
RCP had some kind of API and security store for helping to manage this.
While a pure Java solution could be developed, we think it would be
better to provide some kind of bridge to the security store of the
operation system, providing for the possibility to share security
settings between applications. On OSX they have something called a key
chain, on Linux (Gnome) they have a key ring, and I am sure that Windows
has a similar thing. These systems are basically security stores where
you can store user names, passwords, digital signatures and then
retrieve them at a later point. Integration with these security stores
though a common Eclipse RCP API would in our opinion be a major thing
for client security. I can imagine scenarios where a system
administrator can push digital signatures to security stores on client
machines and the RCP applications will then easily be able to use them
for connecting to web services and so on.

I do not know that much about these security stores from a technical
point of view, so the above is really just ideas for what we think would
be good tools for the programmer to have when dealing with client side
security. Maybe it can serve as a starting point for further discussion.

Claus Nyhus

Claus Nyhus Christensen
Software Engineer

Trifork, Margrethepladsen 3, 8000 Ãrhus C, Denmark
Phone: +45 8732 8787 / http://www.trifork.com