[omniORB] Security/Authentication/Interceptors

Thu Feb 27 20:54:02 2003

I assume this is safe only for a client with a single application thread?
It looks like ucan_secure_ticket is shared by all threads and can only hold
one value.  Perhaps you should use thread specific storage on the client
side too? Otherwise what if a client is also a server? Also, why are these
three

omni_thread::key_t key;
const IOP::ServiceID UCAN_SECURE = 0x52434301;
char * ucan_secure_ticket = 0;

not declared static?

Thank you for the code.  I'm sure it will come in handy if I need to do
something similar.

Just to throw a simple option out there for passing around user identity:
How about placing them in the object id?  What I've done before is use a
POA with a default servant.  A factory object authenticates a user and
asked the default servant POA to create an object reference with an id with
embedded user ID.  Then the default servant can extract the user id from
_this() (or POA::Current I think) on each method call.  No interceptors
required.

Kendall

                      Bill Noon                                                                                                              
                      <noon@snow.nrcc.cornell.edu        To:       "darryl" <developer@csrules.dyndns.org>                                   
                      >                                  cc:       <omniorb-list@omniorb-support.com>, Bill Noon                             
                      Sent by:                            <noon@snow.nrcc.cornell.edu>                                                       
                      omniorb-list-admin@omniorb-        Fax to:                                                                             
                      support.com                        Subject:  Re: [omniORB] Security/Authentication/Interceptors                        

                      02/27/2003 08:33 AM                                                                                                    

Darryl -- I am doing something similar to Thomas and Jan.  I have a
server that the client must register with to get a token.  This token
is set in the client and added to a service context.  The other
services use this token to authorize calls.  Since the token is passed
in the clear, it is shortlived and tied to the client's ip address.

All the client/server code is in python so I have made a c++ module to
add the interceptors and get/set the token.

Attached is the module and the setup.py file for compiling/installing
it.

--Bill Noon
Northeast Regional Climate Center
Cornell University

On Thursday, February 27, 2003, at 09:27 AM, darryl wrote:

> One question, i gathered from the mailing list that
> at tne time the python bindings couldn't do interceptors.
> Is this still the case or can you use interceptors with python?
>
> -Darryl
>
>
>>> Can you post an example of how you do this? It sounds interesting.
>>
>> Sure. Although this code is in Object Pascal, it should be general
>> enough CORBA-wise to translate well to C++. "High(sc.context_data) +
>> 1"
>> returns the length of a service context octet sequence, and
>> "Move(....)"
>> is a mem -> mem copy function.
>>
>> This is still a work in progress, but I have the authenticator running
>> and the interceptors shown here work fine. The authentication service
>> has an IDL like