Borland VisiBroker® 7.0 - Borland Technical Publications
Share Embed Flag
Download ePaper

Borland VisiBroker® 7.0 - Borland Technical Publications

Borland VisiBroker® 7.0 - Borland Technical Publications Borland VisiBroker® 7.0 - Borland Technical Publications

borland.com
11.07.2015 Views

Authorization domainsMaking use of wildcard assertions, the role could also look like this:SalesSupervisor {*O=sales, *OU=managers}Or, even more simply:SalesSupervisor {*(O=sales, OU=managers)}All three code samples are different versions of the same rule.Other assertionsAuthorization domainsEach role provides limited extensibility to others. You may, as a part of a role entry,specify a role=existing-role-name assertion that can extend an earlier role. You canalso use customized code as your authorization mechanism rather than Role DBsyntax by using the Authorization Provider Interface.Recycling an existing roleYou can refer to the rules from an existing role by using the rule-reference assertion—role=role-name. For example, let's say we have a group of marketers who are alsosales supervisors that need to be authorized to the same code as Sales Supervisors.Building upon the SalesSupervisor code sample, we can create a new role entry asfollows:MarketSales {role=SalesSupervisor*(OU=marketing)}Now, everyone in role SalesSupervisor has access to the MarketSales role, as doesanyone in the “marketing” OU.NoteEach Role DB file is associated with an authorization domain. An authorization domainis a security context that is used to separate role DBs and hence their authorizationpermissions. For more information on the authorization domain in the context of thebasic security model, see “Basic security model” on page 9.EJBs can be deployed to multiple security contexts with different permissions androles.An authorization domain is associated with an EJB in its deployment descriptor.You may use as many authorization domains as you wish, provided they are allregistered with the VisiBroker ORB. You must do the following for each of yourauthorization domains:■■■■give it a name,set up default access,set up the Role DB,and set up alias(es).46 VisiBroker Security Guide

Authorization domainsTo accomplish these items, the following properties must be set. For more informationabout these properties, see Chapter 9, “Security Properties for Java” or Chapter 10,“Security Properties for C++”:Table 4.2ORB Properties for AuthorizationPropertyvbroker.security.authDomains=[, , , ...]vbroker.security.domain..defaultAccessRole=grant|denyvbroker.security.domain..rolemap_path=vbroker.security.domain..runas.=|usecaller-identityDescriptionA list of the authorization domain namesWhether or not to grant access to the domain bydefault in the absence of security roles forPath of the Role DB file associated with theauthorization domain domain-name. Althoughthis can be a relative path, Borland recommendsyou make this path fully-qualified.Use this property to set up an identity for the runasrole . The alias denotes an alias inthe vault. Use use-caller-identity to use thecaller principal itself as the principal identity forthe run-as role.Run-as AliasNoteRun-as aliases are not available under C++.A Run-as Alias is a string identifying an authentication identity. It is defined in the vaultand scoped within the VisiBroker ORB. This alias then represents a particular user.The identity is mapped to the alias using either the Context APIs or by defining it in thevault. The vault can contain a list of run-as aliases and the correspondingauthenticating credentials for the identity to run-as. In both cases, the authenticatingcredentials (from the vault or wallet) are passed to the LoginModules, whichauthenticate those credentials and set them as fully authenticated identitiescorresponding to those credentials in the run-as map.Authorization domains are then configured to run-as a given alias for a role in thatdomain. When a request is made to run-as a given role, then the authorization domainfor that context is consulted to get the corresponding run-as alias. The run-as map isthen consulted to get the identity corresponding to that alias, and this identity is used.Run-as identities can also be configured to be certificate identities and not justusername/password identities.Run-as mappingNoteRun-as mapping is not available under C++.Setting the vbroker.security.domain..runas. propertyeffectively maps an alias to a bean's run-as role. Upon successful authorization, butbefore method invocation, the container checks the Run-as role specified in the EJB'sdeployment descriptor for the called method. If a run-as role exists, the containerchecks to see if there is an alias as well. If there is, when the bean makes an outgoinginvocation it switches to the identity for that alias.If, however, no alias is specified (that is, the run-as role name is set to use-calleridentity),the caller principal name is used.Chapter 4: Authorization 47

Authorization domainsTo accomplish these items, the following properties must be set. For more informationabout these properties, see Chapter 9, “Security Properties for Java” or Chapter 10,“Security Properties for C++”:Table 4.2ORB Properties for AuthorizationPropertyvbroker.security.authDomains=[, , , ...]vbroker.security.domain..defaultAccessRole=grant|denyvbroker.security.domain..rolemap_path=vbroker.security.domain..runas.=|usecaller-identityDescriptionA list of the authorization domain namesWhether or not to grant access to the domain bydefault in the absence of security roles forPath of the Role DB file associated with theauthorization domain domain-name. Althoughthis can be a relative path, <strong>Borland</strong> recommendsyou make this path fully-qualified.Use this property to set up an identity for the runasrole . The alias denotes an alias inthe vault. Use use-caller-identity to use thecaller principal itself as the principal identity forthe run-as role.Run-as AliasNoteRun-as aliases are not available under C++.A Run-as Alias is a string identifying an authentication identity. It is defined in the vaultand scoped within the VisiBroker ORB. This alias then represents a particular user.The identity is mapped to the alias using either the Context APIs or by defining it in thevault. The vault can contain a list of run-as aliases and the correspondingauthenticating credentials for the identity to run-as. In both cases, the authenticatingcredentials (from the vault or wallet) are passed to the LoginModules, whichauthenticate those credentials and set them as fully authenticated identitiescorresponding to those credentials in the run-as map.Authorization domains are then configured to run-as a given alias for a role in thatdomain. When a request is made to run-as a given role, then the authorization domainfor that context is consulted to get the corresponding run-as alias. The run-as map isthen consulted to get the identity corresponding to that alias, and this identity is used.Run-as identities can also be configured to be certificate identities and not justusername/password identities.Run-as mappingNoteRun-as mapping is not available under C++.Setting the vbroker.security.domain..runas. propertyeffectively maps an alias to a bean's run-as role. Upon successful authorization, butbefore method invocation, the container checks the Run-as role specified in the EJB'sdeployment descriptor for the called method. If a run-as role exists, the containerchecks to see if there is an alias as well. If there is, when the bean makes an outgoinginvocation it switches to the identity for that alias.If, however, no alias is specified (that is, the run-as role name is set to use-calleridentity),the caller principal name is used.Chapter 4: Authorization 47

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!