Thanks for the response Rajini. It might be nice to support both but really I just need a mechanism to get hold of the client credentials when using SSL and then to do some extra custom authentication processing with the credentials. I was thinking that to do this it would make sense to optionally allow the configuration of a custom JAAS LoginModule to be used when authentication with SSL so that authenticaiton logic could be plugged in. (just like the SASL SSL channel allows a configurable LoginModule) The credentials could then be obtained with the help of a X509 CallbackHandler. Also if a login module is configured then it could return the principal instead of having to write a custom principal builder class.
I am happy to work on a pull request for this change. I'm not sure if a change like this would require a KIP but I can start a dev list thread to see what others think. On Mon, Feb 13, 2017 at 7:10 AM, Rajini Sivaram <rajinisiva...@gmail.com> wrote: > Christopher, > > SSL client authentication is currently disabled when SASL_SSL is used, so > it is not possible to use client certificate credentials with SASL_SSL. Are > you expecting to authenticate clients using certificates as well as using > SASL? Or do you just need some mechanism to get hold of the client > credentials with SSL? > > Regards, > > Rajini > > On Fri, Feb 10, 2017 at 5:46 PM, Christopher Shannon < > christopher.l.shan...@gmail.com> wrote: > > > I need to create a custom JAAS module for authentication but I need to > pass > > client certificate credentials as the principal. SASL_SSL mode has > support > > for a JAAS module but from looking at the source code there doesn't > appear > > to be a way to pass SSL client credentials to the module. The only > > callback handlers are for username/password and for kerberos. However, > the > > SSL mode can extract a principal from the client certificate but when > using > > SSL without SASL there appears to be no way to plug in a JAAS module. > > > > So it seems that I am looking for kind of a combination of SSL and > SASL_SSL > > modes. Is there anyway to configure out the box what I am trying to do > or > > is this going to require a code change? I can work on a pull request if > > necessary. > > >
