GSSAPI across a message oriented middleware.
Henry B. Hotz
hotz at jpl.nasa.gov
Mon Dec 15 19:11:04 EST 2008
krbdev-request at mit.edu wrote:
> Date: Fri, 12 Dec 2008 12:46:47 -0500
> From: "Dave Smith" <dave.smith.to at gmail.com>
> Subject: GSSAPI across a message oriented middleware.
> To: krbdev at mit.edu
> <5ea453f90812120946h3365f929w828de95e6c7591b8 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> I'm exploring the the possibility of using Kerberos and GSSAPI with our JMS
> based messaging system. Ideally, client applications would not connect
> directly to the kerberos server, and all protocols would be implemented
> through the messaging system.
> However, all the protocols appear connection oriented, so I'm at an impass.
> All client applications and services will be developed in Java.
> Does anyone have expreience with this type of setup. Any help would be
> appreciated. Thanks.
Standard notice: this sort of question belongs on kerberos at mit.edu, not
here. This list is for issues relating to the MIT implementation of
That said, I've been down this path a few years ago. The JMS standards
explicitly exclude security. What that means in practice is that if you
get anything at all it's custom to the specific implementation, possibly
insecure, and probably torques your code into decidedly non-portable shapes.
JMS was designed to be deployed on intranets behind firewalls. The
prevalence of "slow consumer" performance impacts is another symptom of
the design target.
OTOH I see no fundamental reason why the standards should be
incompatible with operating over GSSAPI connections. If you have the
resources to push an update to the JMS specification please go for it.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev