Security Current

The SecurityCurrent interface is used to set/get the identity of the caller. When the authenticated principal is set, and the target POA object supports authentication, then the ORB automatically propagates the AuthenticatedPrincipal from the client to the target object using the IIOP service context.

The AuthenticatedPrincipal objects can be associated at two different levels - thread level, and ORB level. The thread level principal only affects the invocation made from that thread, while the ORB level principal applies to all threads that use the ORB. If both, the thread level and ORB level principals are set, the thread level principal takes precedence.

When an invocation comes into a server, and the invocation contains a Security Service context, the ORB automatically sets up the principal in the SecurityCurrent to the caller principal.

Figure 1: The SecurityCurrent API.
Method
Description
setORBPrincipal
Set the default principal. If the principal is already set, then it cannot be changed unless it is unset first.
getORBPrincipal
Get the default principal associated with the ORB. Note, that the
returned type is not an AuthenticatedPrincipal and can not be used to unset the AutheticatedPrincipal by malicious code.
unsetORBPrincipal
Unset the default principal associeted with the ORB. The principal currently set in the ORB is passed in as a capability.
stackThreadPrincipal
Impersonation support. Change the principal identity for a thread. You can return back to the original identity by using teh unstackThreadPrincipal method.
getThreadPrincipal
Get the principal associated with the current thread. Note, that the returned type is not an AuthenticatedPrincipal and can not be used to unset the AutheticatedPrincipal by malicious code.
unstackThreadPrincipal
Unstack the principal associated with this thread. If oldPrincipal, does not match the stacked principal, exception is thrown.
getPrincipal
Get the effective principal of the current thread. It returns the top most stacked thread level principal, if it exists; otherwise, it returns the ORB level principal.
getInetAddress
Get the IP address of the remote client. It returns null if
the client is local. For nested invocations done on behalf of the same remote invocations, the getInetAddress continues to return a non-null value.
getPort
Get the port of the remote client. It returns 0 if the client is local. For nested invocations done on behalf of the same remote invocations, the getPort continues to return a valid value.
getLocalAddress
Get the local IP address on which this invocation was received. It returns null if the client is local. For nested invocations done on behalf of the same remote invocations, the getLocalAddress continues to return a non-null value.
getLocalPort
Get the local IP port on which this invocation was received. It returns null if the client is local. For nested invocations done on behalf of the same remote invocations, the getLocalPort continues to return a valid value.
getNegotiatedCipherSuite Get the negotiated CipherSuite. On the client side, this method takes an object reference as a parameter. IIOP/SSL Only.
getCertificateChain Get the peers Certificate chain. On the client side, this method takes an object reference as a parameter. IIOP/SSL Only.

Impersonation

Using the stackThreadPrincipal and unstackThreadPrinciapl APIs, the server thread can run as a different identity. You can use this to make certain objects always run as a fixed identity or run each object method as a different Identity.



Copyright © 2003, 2004 Novell, Inc. All rights reserved. Copyright © 2001, 2002, 2003 SilverStream Software, LLC. All rights reserved.