Scala Remote Actor Security

Question

What is the (or a) recommended way to implement security for Scala Remote Actors (authentication of remote nodes allowed to speak to this actor, and encryption of the contents of the discussion)? Has anyone done this; how did it work out?

• SSL...

• some Java library...

• some JSR...

• custom serialization...

• only VPN is going to work on this...

???

Answer 1

My guess is that the recommended is not to use remote actor in a situation where security is required, at least for now. It's a remote invocation of Scala code accessible only from Scala code, similar to Java RMI, so intended usage likely is within the local network. I think it'll be cool to have security layer on top of existing remote actor. For now make a web service using Lift?

Answer 2

"A" way although definitely not "the" way would be to encrypt all messages using XML Encryption (http://www.w3.org/TR/xmlenc-core/).

A few reasons this seems like a good idea:

• Old/reliable Java libraries widely available.
• Works at the application layer: easy to understand, debug and unit-test.
• No need for network admin work as with VPN.
• No need for server admin work as with SSL.
• Published encryption schemes are always far better than any proprietary solution you might try to come up with on your own.

Of course, if you're going to take the leap into XML you might as well go the extra step to a Web Service as the other answerer suggested - but that comes at the cost of additional layers and more configuration.

My answer assumes this is a one-person project... In an enterprise environment you should actually push for separation of authority and adding more security layers than minimally necessary.