The Novell exteNd Messaging Platform's ORB provides standard IIOP over SSL support as defined in the CORBAsecurity specification. In addition, it provides support for custom client authentication using pluggable protection spaces called realms. Additional security features include the ability of the ORB to listen only to a particular network interface on a multi-homed host, and provide support for doing access control using caller's IP Address.
Note: Most of the security features listed here including authentication, identity propagation, and IIOP/SSL are only enabled for objects that use the POA. You can use either IDL or Java RMI to express your object interfaces.
Authentication Support
A realm defines a set of users and provides an API for authenticating them. When a principal wishes to authenticate itself, the ORB delegates the authentication request to the specific realm requested by the user.
The ORB provides a locality constrained initial object reference, Authenticator, that can be used by the clients to authenticate themselves with a desired realm. The authenticator provides support for basic as well as digest authentication schemes as defined in the HTTP 1.1 specification. The authenticator returns an AuthenticatedPrincipal that can be set at the thread or ORB level using the SecurityCurrent.SecurityCurrent is a locality constrained initial object, that is used by the clients and servers to set/get authenticated Identities. It also provides support for impersonation.The ORB provides a POA Security Policy that can be used to set the desired realm for a group of objects implemented in the POA. When a realm is specified, the POA makes sure that the client has authenticated itself with the given realm before it can access any objects implemented in the POA.The ORB comes with an implementation of the Security Realm, called the basic realm, that self manages the users and provides support for authentication. A tool is provided to manage instances of the basic realm.The ORB provides a basic realm implementation that it uses internally for protecting its own resources. Support is provided so that an application can write its own realm and register the realm implementation with the ORB.In this section we will show a sample program that demonstrates the various aspects of security support in the ORB.This section defines the various ORB specific permissions that are enforced when running under Java 2. These permissions protect access to sensitive APIs like orb.shutdown.All the examples can be run under Java 2 with Java Security Manager enabled. To run with the security manager make sure that the ORB is installed as a Java 2 extension and run the examples with the
java.security.managerproperty pointing to the security.policy file.The ORB does not provide direct support for access control. The object implementation, or the POA Servant Manager can obtain the caller's identity using the SecurityCurrent object. It can then do the desired access control. It can also find out the IP address of the caller and do access control based on IP address.A simple example of access control can be found in the Secure Bank Application where the AccountBalances object verifies that the caller is principal bankserver@bank before it hands out the AccountRecord for a given account.
The integrity and confidentiality is provided by the IIOP/SSL feature of the ORB.
Copyright © 1998-2003, Novell, Inc. All rights reserved.