web server - Borland Technical Publications
web server - Borland Technical Publications
web server - Borland Technical Publications
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
System Contracts<br />
■<br />
You can also use mutual authentication. In this case, <strong>Borland</strong> Enterprise Server not<br />
only authenticates itself, it also requires authentication from the requesting client.<br />
Clients are required to submit digital certificates issued by a trusted certificate<br />
authority. Mutual authentication is useful when you must restrict access to trusted<br />
clients only. For example, you might restrict access by accepting only clients with<br />
digital certificates provided by you.<br />
For more information, see “Getting Started with Security” in the Developer's Guide.<br />
Security Map<br />
In Section 7.5 of the Connectors 1.0 specification, a number of possible options are<br />
identified for defining a Resource Principal on the behalf of whom sign-on is being<br />
performed. VisiConnect implements the Principal Mapping option identified in the<br />
specification.<br />
Under this option, a resource principal is determined by mapping from the identity of<br />
the initiating caller principal for the invoking component. The resulting resource<br />
principal does not inherit the identity of security attributes of the principal that is it<br />
mapped from. Instead, the resource principal derives its identity and security attributes<br />
based on the defined mapping. Thus, to enable and use container-managed sign-on,<br />
VisiConnect provides the Security Map to specify the initiating principal association<br />
with a resourceprincipal. Expanding upon this model, VisiConnect provides a<br />
mechanism to map initiating caller roles to resource roles.<br />
If container-managed sign-on is requested by the component and no Security Map is<br />
configured for the deployed Resource Adapter, an attempt is made to obtain the<br />
connection using a null JAAS Subject object. This is supported based upon the<br />
Resource Adapter implementation.<br />
While the defined connection management system contracts define how security<br />
information is exchanged between the <strong>Borland</strong> Enterprise Server and the Resource<br />
Adapter, the determination to use container-managed sign-on or component-managed<br />
sign-on is based on deployment information defined for the component requesting a<br />
connection.<br />
The Security Map is specified with the security-map element in the ra-borland.xml<br />
deployment descriptor. This element defines the initiating role association with a<br />
resource role. Each security-map element provides a mechanism to define appropriate<br />
resource role values for the Resource Adapter and EIS sign-on processing. The<br />
security-map elements provide the means to specify a defined set of initiating roles and<br />
the corresponding resource role to be used when allocating managed connections and<br />
connection handles.<br />
A default resource role can be defined for the connection factory in the security-map<br />
element. To do this, specify a user-role value of “*” and a corresponding resource-role<br />
value. The defined resource-role is then utilized whenever the current identity if not<br />
matched elsewhere in the Security Map.<br />
This is an optional element. However, it must be specified in some form when<br />
container-managed sign-on is supported by the Resource Adapter and any component<br />
uses it. Additionally, the deployment-time population of the connection pool is<br />
attempted using the defined default resource role, given that one is specified.<br />
Security Policy Processing<br />
The Connectors 1.0 specification defines default security policies for any Resource<br />
Adapters running in an application <strong>server</strong>. It also defines a way for a Resource Adapter<br />
to provide its own specific security policies overriding the default.<br />
In compliance with this specification, <strong>Borland</strong> Enterprise Server dynamically modifies<br />
the runtime environment for Resource Adapters. If the Resource Adapter has not<br />
defined specific security policies, <strong>Borland</strong> Enterprise Server overrides the runtime<br />
environment for the Resource Adapter with the default security policies specified in the<br />
Chapter 26: VisiConnect overview 251