GSSAPI across a message oriented middleware.

[Henry B. Hotz]

krbdev-request at mit.edu wrote:

> Date: Fri, 12 Dec 2008 12:46:47 -0500
> From: "Dave Smith" <dave.smith.to at gmail.com>
> Subject: GSSAPI across a message oriented middleware.
> To: krbdev at mit.edu
> Message-ID:
>         <5ea453f90812120946h3365f929w828de95e6c7591b8 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I'm exploring the the possibility of using Kerberos  and GSSAPI with our JMS
> based messaging system. Ideally, client applications would not connect
> directly to the kerberos server, and all protocols would be implemented
> through the messaging system.
> 
> However, all the protocols appear connection oriented, so I'm at an impass.
> All client applications and services will be developed in Java.
> 
> Does anyone have expreience with this type of setup. Any help would be
> appreciated. Thanks.
> 
> DS/

Standard notice:  this sort of question belongs on kerberos at mit.edu, not 
here.  This list is for issues relating to the MIT implementation of 
Kerberos itself.

That said, I've been down this path a few years ago.  The JMS standards 
explicitly exclude security.  What that means in practice is that if you 
get anything at all it's custom to the specific implementation, possibly 
insecure, and probably torques your code into decidedly non-portable shapes.

JMS was designed to be deployed on intranets behind firewalls.  The 
prevalence of "slow consumer" performance impacts is another symptom of 
the design target.

OTOH I see no fundamental reason why the standards should be 
incompatible with operating over GSSAPI connections.  If you have the 
resources to push an update to the JMS specification please go for it.

-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu