Overview

As discussed in the Oracle8i Java Developer's Guide, there are several security issues you must think about for your application. The Oracle8i Java Developer's Guide divides security into network connection, database contents, and JVM security issues. All these issues are pertain to IIOP. However, IIOP has specific implementation issues for both the networking and the JVM security, as listed below:

• JVM security includes both utilizing Java2 permissions and granting execution rights. For IIOP, you can grant execution privileges in one of two ways:
  • CORBA--The owner grants execution rights to CORBA objects with an option on the loadjava tool. See the loadjava discussion in the Oracle8i Java Developer's Guide for information on granting execution rights when loading the CORBA classes.

  • EJB--The owner grants execution rights to EJB objects and, potentially, methods within the deployment descriptor. See the section on "Access Control" in the Oracle8i Enterprise JavaBeans Developer's Guide for more information on defining execution rights within your deployment descriptor.

• Network connection security includes the following issues:
  • Data Integrity--To prevent a sniffer from reading the transmission directly off the wire, all transmissions are encoded. Oracle supports Secure Socket Layer (SSL) for encryption.

  • Authentication--To prevent an invalid user from impersonating a valid user, the client or server provides authentication information. This information can take the form of a username/password combination or certificates.

  • Authorization--To prove that the user is allowed access to the object, two types of authorization are performed:

    - Session authorization--The session is authorized to the user. In this case, the client is authorized to access the server through validating either the username or certificate provided.

    - User authorization--The client or server can perform authorization on a provided certificate. This type of authorization can be performed only when the client or server authenticates itself by providing a certificate.

This section describes fully the network connection security issues that IIOP applications must consider.

---