[omniORB] Publish object ref only to specified giops

Konstantin Olkhovskiy lupus at oxnull.net
Wed Jun 2 15:51:02 BST 2010


Purpose of such hacking was security. What stops client from creating
IOR by hand and calling object which is not intended to be called from
that client? IOR's are not signed or anything...
One idea of implementing such a feature is to serve different
components from two separated programs using different giop
endpoints... If one giop is 'public' and other is 'private' - private
part of system can invoke public objects using public giop, but public
part of system can't use private part cause private giop is not
physically(i.e. unix socket, vpn connection) accessible from public
part. Also we could use different CA certificates there.
Will this do the trick without killing corba usability?

2010/6/1 Duncan Grisby <duncan at grisby.org>:
> On Wed, 2010-05-26 at 20:04 +0400, Konstantin Olkhovskiy wrote:
>
>> Is it possible to publish some object references to specified giop?
>> For example, i have ObjectA and ObjectB and server is listening on ssl
>> and unix sockets, and i want to publish ObjectA both to ssl and unix
>> but ObjectB must be acces only using unix.
>
> There's no way to ask omniORB itself to do it, but you can write code
> that directly manipulates IORs to have that effect. For inspiration,
> there is some C++ code that messes with IORs in the omniORB connection
> management extension in
> src/lib/omniORB/connections/omniConnectionMgmt.cc in the
> makeRestrictedReference function.
>
> If you're using Python, you can access the innards of object references
> by marshalling the reference into a buffer with cdrMarshal, then
> unmarshalling it again using the IDL definitions for IORs. I've attached
> the IDL you need and some simple code I had to hand that digs into an
> IOR. You should be able to use it as the basis for something that
> modifies the IORs as you require. After modification, you can do the
> cdrMarshal / cdrUnmarshal in reverse to turn it back into an object
> reference.
>
> Cheers,
>
> Duncan.
>
> --
>  -- Duncan Grisby         --
>  -- duncan at grisby.org     --
>   -- http://www.grisby.org --
>
>


-- 
Cheers,
Konstantin Olkhovskiy



More information about the omniORB-list mailing list