[omniORB] Security/Authentication

[JHJE (Jan Holst Jensen)]

> From: "darryl" <developer@csrules.dyndns.org>
> 
> I've taken a gander at the mailing list archives, this
> seems to be a question that has been asked in the past
> but i could not find any consensus. Is
> it a bad idea to hand out "sessions" kind of like
> in a web application then specifically pass the session
> id with each call?

I am doing similar stuff, handing out "session cookies" from a separate
authentication service. The "session cookies" are then piggy-backed on the
IIOP requests using service contexts. The server can pick up the "session
cookies" from the tagged-on service requests using portable interceptors and
validate the clients that way (asking the authentication service whether the
"session cookie" is OK or not). 

This way you won't have to extend or rewrite your IDL to "security-enable"
it, which would be a bad thing IMHO. Can't tell from your message whether
you imply changing the interface or using an interceptor-mechanism (I
suppose the latter ?).

Best regards

-- Jan