[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [equinox-dev] Client side security store

There has been discussions for the OSGi R4 framework to include a
certificate repository but time did not permit work in this area.

Any work in this direction is very interesting for OSGi because we
currently have a several specifications that require certificates but
we do not have a standardized repository.

Note that the User Admin has some features that move in the right
direction, and which are protected with Java 2 security.

Kind regards,

     Peter Kriens

CNC> Hi,

CNC> I am currently working on creating an Eclipse RCP front end for the J2EE
CNC> Adventure Builder Blueprint application
CNC> (http://java.sun.com/blueprints). I am doing this work with Nick Edgar
CNC> and Pascal Rapicault in preparation for a joint tutorial at the JAOO
CNC> conference next week.

CNC> During this work we discussed client side security. Jeff McAffer got
CNC> involved in the discussion, and he asked me to post some of my thoughts
CNC> on this mailing list :)

CNC> As a start I must say that I am a "J2EE person", i.e. I work for a J2EE
CNC> vendor and most of my work has been in this field. I have some (minor)
CNC> experience with Eclipse RCP, and working with Nick and Pascal really got
CNC> me hooked on making "fat clients"/Smart Clients for J2EE again.

CNC> Well, on to the subject:

CNC> Being from the J2EE world I am used to having support for security
CNC> functionality in the framework and tools. I can e.g. configure key and
CNC> trust stores for SSL communication, the browser can cache my username
CNC> and password when I log in to a web application and so on. When I want
CNC> my user interface to be a Smart Client I am more of less on my own.

CNC> Therefore, in out opinion Eclipse RCP would benefit greatly from have
CNC> some kind of security housekeeping support. In simple scenarios you have
CNC> to deal with user names and passwords (for different users and different
CNC> back end connections). Often you cannot simply cache them on the
CNC> connection but have to cache them locally in your program.  
CNC> Furthermore, in Denmark digital signatures play a major role (we have a
CNC> national system where every citizens can get a digital signature which
CNC> can be used when communicating with the government (tax, health care and
CNC> so on)) and I expect it to be just as big in other countries. While
CNC> digital signatures can be handled pretty easily on the server they are
CNC> kind of hard to manage on the client side (you have to install them in
CNC> your trust store and so on).

CNC> Based on this we think that it would be really great if Eclipse
CNC> RCP had some kind of API and security store for helping to manage this.
CNC> While a pure Java solution could be developed, we think it would be
CNC> better to provide some kind of bridge to the security store of the
CNC> operation system, providing for the possibility to share security
CNC> settings between applications. On OSX they have something called a key
CNC> chain, on Linux (Gnome) they have a key ring, and I am sure that Windows
CNC> has a similar thing. These systems are basically security stores where
CNC> you can store user names, passwords, digital signatures and then
CNC> retrieve them at a later point. Integration with these security stores
CNC> though a common Eclipse RCP API would in our opinion be a major thing
CNC> for client security. I can imagine scenarios where a system
CNC> administrator can push digital signatures to security stores on client
CNC> machines and the RCP applications will then easily be able to use them
CNC> for connecting to web services and so on.

CNC> I do not know that much about these security stores from a technical
CNC> point of view, so the above is really just ideas for what we think would
CNC> be good tools for the programmer to have when dealing with client side
CNC> security. Maybe it can serve as a starting point for further discussion.

CNC> Regards
CNC> Claus Nyhus
CNC> Trifork



-- 
Peter Kriens                              Mob +33633746480
9C, Avenue St. Drézéry                    Tel +33467542167
34160 Beaulieu, France                    Tel +15123514821
                                          Tel +33870447986
AOL,Yahoo, Skype pkriens                  ICQ 255570717