[omniORB] Security/Authentication

Hautesserres, Thomas thomas.hautesserres@managedstorage.fr
Thu Feb 27 08:38:02 2003


We have a similar problem with our CORBA application, and here is what we
are doing.

First, what we want to achieve it access-control first at the object level
(who has the right to access which object) at the operation level (on a
given object, who has the right to access a given operation). We don't want
to pass a session ID or any security information to each call, as this would
"pollute" all our interfaces.

So what we have decided is:

- We have a security manager that can deliver security tokens against an
authentication. We are using login/password, but anything else could do the
trick. The returned token is an opaque structure, that has no meaning to
anyone outside the security manager itself.

- When a user wants to access an object, it must contact a Factory for this
kind of object. The factory is registered in a Naming Service. To retrieve
an object, the user must pass a valid token to the factory. The factory uses
the token to retrieve detailes information about the user from the security
manager (including user's permissions). If it's OK, the factory returns a
new object, which is associated with the user information (it's an hidden
attribute of the object).

- When the user finally calls an operation on its object, the object has the
ability to check the user permissions (not passed in each call, but
associated to the object itself) to authorize the call or not.

There are some drawbacks to that design pattern of course, the main one
being that one must manage the user objects (they must be destroyed once
they are not used anymore, and that can be tricky).

If you are interested, I can send you IDL files describing that architecture
in details.
Send me an email at thomas@hautesserres.com.

Thomas

> Message: 1
> Date: Wed, 26 Feb 2003 16:46:11 -0600 (CST)
> Subject: Re: [omniORB] Security/Authentication
> From: "darryl" <developer@csrules.dyndns.org>
> To: <developer@csrules.dyndns.org>
> Cc: <omniorb-list@omniorb-support.com>
> 
> I've taken a gander at the mailing list archives, this
> seems to be a question that has been asked in the past
> but i could not find any consensus. Is
> it a bad idea to hand out "sessions" kind of like
> in a web application then specifically pass the session
> id with each call?