Borland VisiBroker® 7.0 - Borland Technical Publications
Borland VisiBroker® 7.0 - Borland Technical Publications Borland VisiBroker® 7.0 - Borland Technical Publications
Examining SSL related informationStep Four: If necessary, set up identity assertionWhen a client invokes a method in a mid-tier server which, in the context of thisrequest, invokes an end-tier server, then the identity of the client is internally assertedby the mid-tier server by default. Therefore, if getCallerSubject is called on the end-tierserver, it will return the Client's principal. Here the client's identity is asserted by themid-tier server. The identity can be a username or certificate. The client's privatecredentials such as private keys ore passwords are not propagated on assertion. Thisimplies that such an identity cannot be authenticated at the end-tier.If the user would like to override the default identity assertion, there are APIs availableto assert a given Principal. These APIs can be called only on mid-tier servers in thecontext of an invocation and with special permissions.Examining SSL related informationClientsServersBorland VisiBroker provides APIs to inspect and set SSL-related information. TheSecureContext API is used to inspect the SSL ciphersuites and enable select ciphers.To examine peer certificates, use getPeerSession() to return an SSLSession objectassociated with the target. You can then use standard JSSE APIs to obtain theinformation therein.To examine peer certificates on the server side, you set up the SSL connection withcom.borland.security.Context and use the APIs with com.borland.security.Current toexamine the SSLSession object associated with the thread.Creating Custom PluginsThere are various components of VisiSecure that allow for custom plug-ins. They are:■■■LoginModulesCallBack HandlersAuthorization service provider via the SPI■Assertion Trust via the SPIIn order for VisiSecure for C++ to find user implementations, all plugins must use theREGISTER_CLASS macro provided by VisiSecure to register their classes to the securityservice. When specifying the registered class, the name of the class must be specifiedin full together with the name space. Name spaces must be specified in a normalizedform, with either a “.” or “::” separated string starting from the outermost name space.For example:MyNameSpace {class MyLoginModule {......}}would be specified as either MyNameSpace.MyLoginModule or MyNameSpace::MyLoginModule.74 VisiBroker Security Guide
Creating Custom PluginsLoginModulesNoteYou can implement your own LoginModules by extending vbsec::LoginModule. To usethe LoginModule, you need to set it in the authentication configuration file, just like anyother LoginModule. During runtime, the new customized module will need to be loadedby the secured application.The syntax of the authentication configuration is as follows: { ;}There is implicit replacement of the character “.” to “::” by VisiSecure. Hence,com.borland.security.provider.authn.HostLoginModule is equivalent tocom::borland::security::provider::authn::HostLoginModule.CallbackHandlersYou can implement your own callback by extending vbsec::CallbackHandler. To use thecallback, you need to set the propertyvbroker.security.authentication.callbackHandler= in thesecurity property file, just like any other callback handler. During runtime, the newcustomized module will need to be loaded by the secured application.Authorization Service ProviderAuthorization is the process of making access control decisions on behalf of certainresources based on security attributes or privileges. VisiSecure uses the notion ofPermission in authorization. The class RolePermission is defined to represent a “role” asa permission. Authorization Services Providers in turn provide the implementation onthe homogeneous collection of role permissions that associate privileges with particularresources.Authorization service providers are tightly connected with Authorization Domains. Eachdomain has exactly one authorization service provider implementation. During theinitialization of the ORB, the authorization domains defined byvbroker.security.authDomains is constructed, while the Authorization Service Providerimplementation is instantiated during the construction of domain itself.To plugin authorization service, you need to set properties:vbroker.security.auth.domains=MyDomainvbroker.security.domain.MyDomain.provider=MyProvidervbroker.security.domain.MyDomain.property1=xxxvbroker.security.domain.MyDomain.property2=xxxvbroker.security.identity.attributeCodecs=MyCodecvbroker.security.adapter.MyCodec.property1=xxxvbroker.security.adapter.MyCodec.property2=xxxThe properties specified will be passed to the user plugin following the samemechanism as above.Chapter 7: Making Secure Connections (C++) 75
- Page 29 and 30: Using IIOP/HTTPSHere are several ex
- Page 31 and 32: ChapterChapter 3AuthenticationJAAS
- Page 33 and 34: Authentication mechanisms and Login
- Page 35 and 36: LoginContext class and LoginModule
- Page 37 and 38: Associating a LoginModule with a re
- Page 39 and 40: Borland LoginModulesThe elements in
- Page 41 and 42: Borland LoginModulesLDAP LoginModul
- Page 43 and 44: Server and Client IdentificationIn
- Page 45 and 46: Server and Client IdentificationCre
- Page 47 and 48: Server and Client IdentificationCli
- Page 49 and 50: ChapterChapter4AuthorizationAuthori
- Page 51 and 52: Defining access control with Role D
- Page 53 and 54: Authorization domainsTo accomplish
- Page 55 and 56: CORBA authorizationwhere is a taut
- Page 57 and 58: Chapter5Configuring Security Profil
- Page 59 and 60: Security ProfilesEnabling SecurityF
- Page 61 and 62: Security ProfilesConfiguring Authen
- Page 63 and 64: Security ProfilesTo access the Auth
- Page 65 and 66: Security ProfilesWorking with Autho
- Page 67 and 68: Security ProfilesAdding and Removin
- Page 69 and 70: Associating a Profile with a Domain
- Page 71 and 72: Chapter6Making Secure Connections (
- Page 73 and 74: Steps to secure clients and servers
- Page 75 and 76: Examining SSL related informationEx
- Page 77 and 78: Chapter7Making Secure Connections (
- Page 79: Steps to secure clients and servers
- Page 83 and 84: ChapterChapter8Security for the Web
- Page 85 and 86: Security for the Apache web serverC
- Page 87 and 88: Enabling certificate passthrough to
- Page 89 and 90: Security for the Borland web contai
- Page 91 and 92: Three-tier authorization schemeNote
- Page 93 and 94: Chapter9Security Properties for Jav
- Page 95 and 96: Security Properties for JavaPropert
- Page 97 and 98: Chapter10Security Properties for C+
- Page 99 and 100: Security Properties for C++Property
- Page 101 and 102: Chapter11VisiSecure for C++ APIsCha
- Page 103 and 104: General APIUse this to login to the
- Page 105 and 106: General APISets the cipher suites t
- Page 107 and 108: General APIReturnsA set of the publ
- Page 109 and 110: SSL APISSL APIThis section explains
- Page 111 and 112: SSL APIclass CipherSuiteNameThis cl
- Page 113 and 114: SSL APIExceptionsCORBA::BAD_OPERATI
- Page 115 and 116: Certificate APICertificate APIThis
- Page 117 and 118: Certificate APIclass CORBAsec::X509
- Page 119 and 120: QoP APIQoP APIThe following section
- Page 121 and 122: Authorization APIAuthorization APIT
- Page 123 and 124: ChapterChapter12Security SPIfor C++
- Page 125 and 126: ProvidersProvidersTable 12.1Each pr
- Page 127 and 128: vbsec::CallbackHandlervbsec::Callba
- Page 129 and 130: vbsec::AuthenticationMechanismsMeth
Creating Custom PluginsLoginModulesNoteYou can implement your own LoginModules by extending vbsec::LoginModule. To usethe LoginModule, you need to set it in the authentication configuration file, just like anyother LoginModule. During runtime, the new customized module will need to be loadedby the secured application.The syntax of the authentication configuration is as follows: { ;}There is implicit replacement of the character “.” to “::” by VisiSecure. Hence,com.borland.security.provider.authn.HostLoginModule is equivalent tocom::borland::security::provider::authn::HostLoginModule.CallbackHandlersYou can implement your own callback by extending vbsec::CallbackHandler. To use thecallback, you need to set the propertyvbroker.security.authentication.callbackHandler= in thesecurity property file, just like any other callback handler. During runtime, the newcustomized module will need to be loaded by the secured application.Authorization Service ProviderAuthorization is the process of making access control decisions on behalf of certainresources based on security attributes or privileges. VisiSecure uses the notion ofPermission in authorization. The class RolePermission is defined to represent a “role” asa permission. Authorization Services Providers in turn provide the implementation onthe homogeneous collection of role permissions that associate privileges with particularresources.Authorization service providers are tightly connected with Authorization Domains. Eachdomain has exactly one authorization service provider implementation. During theinitialization of the ORB, the authorization domains defined byvbroker.security.authDomains is constructed, while the Authorization Service Providerimplementation is instantiated during the construction of domain itself.To plugin authorization service, you need to set properties:vbroker.security.auth.domains=MyDomainvbroker.security.domain.MyDomain.provider=MyProvidervbroker.security.domain.MyDomain.property1=xxxvbroker.security.domain.MyDomain.property2=xxxvbroker.security.identity.attributeCodecs=MyCodecvbroker.security.adapter.MyCodec.property1=xxxvbroker.security.adapter.MyCodec.property2=xxxThe properties specified will be passed to the user plugin following the samemechanism as above.Chapter 7: Making Secure Connections (C++) 75