|
|
This topic contains the C++ method descriptions for the WLE Security Service.
SecurityLevel1::Current::get_attributes
Synopsis
Returns attributes for the Current interface.
OMG IDL Definition
Security::AttributeList get_attributes(
in Security::AttributeTypeList attributes
);
};Argument
- attributes
- The set of security attributes (privilege attribute types) whose values are desired. If this list is empty, all attributes are returned.
Description
This method gets privilege (and other) attributes from the principal's credentials for the Current interface.
Return Values
The following table describes valid return values.
Table 11-1
Return Value
Meaning
Empty (Public is returned when no authentication was performed)
Null terminated ASCII string containing the WLE name of the principal
Note: The other attribute types are never returned. The defining_authority field is always empty.
Note: This information is taken from CORBAservices: Common Object Services Specification, pp. 15-103, 104. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
Synopsis
Authenticates the principal and optionally obtains credentials for the principal.
OMG IDL Definition
Security::AuthenticationStatus
authenticate(
in Security::AuthenticationMethod method,
in Security::SecurityName security_name,
in Security::Opaque auth_data,
in Security::AttributeList privileges,
out Credentials creds,
out Security::Opaque continuation_data,
out Security::Opaque auth_specific_data );Arguments
- method
- The security mechanism to be used. Valid values are Tobj::TuxedoSecurity and Tobj::CertificateBased .
- security_name
- The principal's identification information (for example, logon information). The value must be a pointer to a NULL-terminated string containing the user name of the principal. The string is limited to 30 characters, excluding the NULL character.
- When using certificate-based authentication, this name is used to look up a certificate in the LDAP-enabled directory service. It is also used as the basis for the name of the file in which the private key is stored. For example:
- milozzi@company.com is email address used to look up a certificate in the LDAP-enabled directory service and milozzi_company.pem is the name of the private key file.
- auth_data
- The principals' authentication, such as their password or private key. If the Tobj:TuxedoSecurity security mechanism is specified, the value of this argument is dependent on the configured level of authentication. If the Tobj::CertificateBased argument is specified, the value of this argument is the pass phrase used to decrypt the private key of the principal.
- privileges
- The privilege attributes requested.
- creds
- The object reference of the newly created Credentials object.The object reference is not fully initialized; therefore, the object reference cannot be used until the return value of the SecurityLevel2::Current::authenticate method is SecAuthSuccess.
- continuation_data
- If the return value of the SecurityLevel2::Current::authenticate method is SecAuthContinue , this argument contains the challenge information for the authentication to continue. The value returned will always be empty.
- auth_specific_data
- Information specific to the authentication service being used. The value returned will always be empty.
Description
The SecurityLevel2::Current::authenticate method is used by the client application to authenticate the principal and optionally request privilege attributes that the principal requires during its session with the WLE domain.
If the Tobj::TuxedoSecurity security mechanism is to be specified, the same functionality can be obtained by calling the Tobj::PrincipalAuthenticator::logon operation, which provides the same functionality but is specifically tailored for use with the TUXEDO-style authentication security mechanism.
Return Values
The following table describes the valid return values.
Synopsis
Sets credentials type.
OMG IDL Definition
void set_credentials(
in Security::CredentialType cred_type,
in Credentials creds
);Arguments
- cred_type
- The type of credentials to be set; that is, invocation, own, or non-repudiation.
- creds
- The object reference to the Credentials object, which is to become the default.
Description
This method can be used only to set SecInvocationCredentials ; otherwise, -set_credentials raises CORBA::BAD_PARAM . The credentials must have been obtained from a previous call to SecurityLevel2::Current::get_credentials or SecurityLevel2::PrincipalAuthenticator::authenticate .
Return Values
None.
Note: This information is taken from CORBAservices: Common Object Services Specification, p. 15-104. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
Synopsis
Gets credentials type.
OMG IDL Definition
Credentials get_credentials(
in Security::CredentialType cred_type
);Argument
- cred_type
- The type of credentials to get.
Description
This call can be used only to get SecInvocationCredentials ; otherwise, get_credentials raises CORBA::BAD_PARAM . If no credentials are available, get_credentials raises CORBA::BAD_INV_ORDER .
Return Values
Returns the active credentials in the client application only.
Note: This information is taken from CORBAservices: Common Object Services Specification, p. 15-105. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
Synopsis
Returns the PrincipalAuthenticator .
OMG IDL Definition
readonly attribute PrincipalAuthenticator
principal_authenticator;Description
The PrincipalAuthenticator returned by the principal_authenticator attribute is of actual type Tobj::PrincipalAuthenticator . Therefore, it can be used both as a Tobj::PrincipalAuthenticator and as a SecurityLevel2::PrincipalAuthenticator .
Note: This method raises CORBA::BAD_INV_ORDER if it is called on an invalid SecurityCurrent object.
Return Values
Returns the PrincipalAuthenticator .
SecurityLevel2::Credentials
Synopsis
Represents a particular principal's credential information that is specific to a process. A Credentials object that supports the SecurityLevel2::Credentials interface is a locality-constrained object. Any attempt to pass a reference to the object outside its locality, or any attempt to externalize the object using the CORBA::ORB::object_to_string() operation, results in a CORBA::Marshall exception.
OMG IDL Definition
#ifndef _SECURITY_LEVEL_2_IDL
#define _SECURITY_LEVEL_2_IDL
#include <SecurityLevel1.idl>
#pragma prefix "omg.org"
module SecurityLevel2
{
interface Credentials
{
attribute Security::AssociationOptions
invocation_options_supported;
attribute Security::AssociationOptions
invocation_options_required;
Security::AttributeList
get_attributes(
in Security::AttributeTypeList attributes );
boolean
is_valid(
out Security::UtcT expiry_time );};
};
#endif /* _SECURITY_LEVEL_2_IDL */C++ Declaration
class SecurityLevel2
{
public:
class Credentials;
typedef Credentials * Credentials_ptr;
class Credentials : public virtual CORBA::Object
{
public:
static Credentials_ptr _duplicate(Credentials_ptr obj);
static Credentials_ptr _narrow(CORBA::Object_ptr obj);
static Credentials_ptr _nil();
virtual Security::AssociationOptions
invocation_options_supported() = 0;
virtual void
invocation_options_supported(
const Security::AssociationOptions options ) = 0;
virtual Security::AssociationOptions
invocation_options_required() = 0;
virtual void
invocation_options_required(
const Security::AssociationOptions options ) = 0;
virtual Security::AttributeList *
get_attributes(
const Security::AttributeTypeList & attributes) = 0;
virtual CORBA::Boolean
is_valid( Security::UtcT_out expiry_time) = 0;
protected:
Credentials(CORBA::Object_ptr obj = 0);
virtual ~Credentials() { }
private:
Credentials( const Credentials&) { }
void operator=(const Credentials&) { }
}; // class Credentials
}; // class SecurityLevel2
Synopsis
Gets the attribute list attached to the credentials.
OMG IDL Definition
Security::AttributeList get_attributes(
in AttributeTypeList attributes
);Argument
- attributes
- The set of security attributes (privilege attribute types) whose values are desired. If this list is empty, all attributes are returned.
Description
This method returns the attribute list attached to the credentials of the principal. In the list of attribute types, you are required to include only the type value(s) for the attributes you want returned in the AttributeList . Attributes are not currently returned based on attribute family or identities. In most cases, this is the same result you would get if you called SecurityLevel1::Current::get_attributes() , since there is only one valid set of credentials in the principal at any instance in time. The results could be different if the credentials are not currently in use.
Return Values
Returns attribute list.
Note: This is information taken from CORBAservices: Common Object Services Specification, p. 15-97. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
Synopsis
Indicates the maximum number of security options that can be used when establising an SSL connection to make an invocation on an object in the WLE domain.
OMG IDL Definition
attribute Security::AssociationOptions(
invocation_options_supported;Argument
None.
Description
This method should be used in conjunction with the SecurityLevel2::Credentials::invocation_options_required method.
The following security options can be specified:
Return Values
The list of defined security options.
If the Tobj::TuxedoSecurity security mechanism is used to create the security association, only the NoProtection , EstablishTrustInClient , and SimpleDelegation security options are returned. The EstablishTrustInClient security option appears only if the security level of the WLE application is defined to require passwords to access the WLE domain.
Note: A CORBA::BAD_PARAM exception is returned if the security options specified are not supported by the security mechanism defined for the WLE application. This exception can also occur if the security options specified have less capabilities than the security options specified by the SecurityLevel2::Credentials::invocation_options_required method.
A Credentials object with a security mechanism of Tobj::TuxedoSecurity always returns the CORBA::BAD_PARAM exception.
Synopsis
Specifies the minimum number of security options to be used when establishing an SSL connection to make an invocation on a target object in the WLE domain.
OMG IDL Definition
attribute Security::AssociationOptions(
invocation_options_required;Argument
None.
Description
Use this method to specify that communication between principals and the WLE domain should be protected. After using this method, a Credentials object makes an invocation on a target object using the SSL protocol with the defined level of security options. This method should be used in conjunction with the SecurityLevel2::Credentials::invocation_options_supported method.
The following security options can be specified:
Return Values
The list of defined security options.
If the Tobj::TuxedoSecurity security mechanism is used to create the security association, only the NoProtection , EstablishTrustInClient , and SimpleDelegation security options are returned. The EstablishTrustInClient security option appears only if the security level of the WLE application is defined to require passwords to access the WLE domain.
Note: A CORBA::BAD_PARAM exception is returned if the security options specified are not supported by the security mechanism defined for the WLE application. This exception can also occur if the security options specified have more capabilities than the security options specified by the SecurityLevel2::Credentials::invocation_options_supported method.
A Credentials object with a parameter of Tobj::TuxedoSecurity always returns the CORBA::BAD_PARAM exception.
Synopsis
Checks status of credentials.
OMG IDL Definition
boolean is_valid(
out Security::UtcT expiry_time
);Description
This method returns TRUE if the credentials used are active at the time; that is, you did not call Tobj::PrincipalAuthenticator::logoff or Tobj_Bootstrap::destroy_curren t. If this method is called after Tobj::PrincipalAuthenticator::logoff() , FALSE is returned. If this method is called after Tobj_Bootstrap::destroy_current() , the CORBA::BAD_INV_ORDER exception is raised.
Return Values
The expiration date returned contains the maximum unsigned long long value in C++ and maximum long in Java. Until the unsigned long long datatype is adopted, the ulonglong datatype is substituted. The ulonglong datatype is defined as follows:
// interim definition of type ulonglong pending the
// adoption of the type extension by all client ORBs.
struct ulonglong {
unsigned long low;
unsigned long high;
};Note: This information is taken from CORBAservices: Common Object Services Specification, p. 15-97. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
SecurityLevel2::PrincipalAuthenticator
Synopsis
Allows a principal to be authenticated. A Principal Authenticator object that supports the SecurityLevel2::PrincipalAuthenticator interface is a locality-constrained object. Any attempt to pass a reference to the object outside its locality, or any attempt to externalize the object using the CORBA::ORB::object_to_string() operation, results in a CORBA::Marshall exception.
OMG IDL Definition
#ifndef _SECURITY_LEVEL_2_IDL
#define _SECURITY_LEVEL_2_IDL
#include <SecurityLevel1.idl>
#pragma prefix "omg.org"
module SecurityLevel2
{
interface PrincipalAuthenticator
{ // Locality Constrained
Security::AuthenticationStatus authenticate (
in Security::AuthenticationMethod method,
in Security::SecurityName security_name,
in Security::Opaque auth_data,
in Security::AttributeList privileges,
out Credentials creds,
out Security::Opaque continuation_data,
out Security::Opaque auth_specific_data
);
Security::AuthenticationStatus continue_authentication (
in Security::Opaque response_data,
in Credentials creds,
out Security::Opaque continuation_data,
out Security::Opaque auth_specific_data
);
};
};
#endif // SECURITY_LEVEL_2_IDL
#pragma prefix "beasys.com"
module Tobj
{
const Security::AuthenticationMethod
TuxedoSecurity = 0x54555800;
CertificateBased = 0x43455254;
};C++ Declaration
class SecurityLevel2
{
public:
class PrincipalAuthenticator;
typedef PrincipalAuthenticator * PrincipalAuthenticator_ptr;class PrincipalAuthenticator : public virtual CORBA::Object
{
public:
static PrincipalAuthenticator_ptr
_duplicate(PrincipalAuthenticator_ptr obj);
static PrincipalAuthenticator_ptr
_narrow(CORBA::Object_ptr obj);
static PrincipalAuthenticator_ptr _nil();
virtual Security::AuthenticationStatus
authenticate (
Security::AuthenticationMethod method,
const char * security_name,
const Security::Opaque & auth_data,
const Security::AttributeList & privileges,
Credentials_out creds,
Security::Opaque_out continuation_data,
Security::Opaque_out auth_specific_data) = 0;
virtual Security::AuthenticationStatus
continue_authentication (
const Security::Opaque & response_data,
Credentials_ptr & creds,
Security::Opaque_out continuation_data,
Security::Opaque_out auth_specific_data) = 0;protected:
PrincipalAuthenticator(CORBA::Object_ptr obj = 0);
virtual ~PrincipalAuthenticator() { }
private:
PrincipalAuthenticator( const PrincipalAuthenticator&) { }
void operator=(const PrincipalAuthenticator&) { }
}; // class PrincipalAuthenticator
};
Synopsis
Always fails.
OMG IDL Definition
Security::AuthenticationStatus continue_authentication(
in Security::Opaque response_data,
inout Credentials creds,
out Security::Opaque continuation_data,
out Security::Opaque auth_specific_data
);Description
Because the WLE software does authentication in one step, this method always fails and returns Security::AuthenticationStatus::SecAuthFailure .
Return Values
Always returns Security::AuthenticationStatus::SecAuthFailure .
Note: This information is taken from CORBAservices: Common Object Services Specification, pp. 15-92, 93. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
Synopsis
Gets the type of authentication expected by the WLE domain.
OMG IDL Definition
AuthType get_auth_type();
Description
This method returns the type of authentication expected by the WLE domain.
Note: This method raises CORBA::BAD_INV_ORDER if it is called with an invalid SecurityCurrent object.
Return Values
A reference to the Tobj_AuthType enumeration. The following table describes the valid return values.
Returns the type of authentication required to access the WLE domain.
Synopsis
Authenticates the principal.
OMG IDL Definition
Security::AuthenticationStatus logon(
in string user_name,
in string client_name,
in string system_password,
in string user_password,
in UserAuthData user_data
);Arguments
- user_name
- The WLE user name. The authentication level is TOBJ_NOAUTH . If user_name is NULL or empty, or exceeds 30 characters, logon raises CORBA::BAD_PARAM .
- client_name
- The WLE name of the client application. The authentication level is TOBJ_NOAUTH . If the client_name is NULL or empty, or exceeds 30 characters, logon raises the CORBA::BAD_PARAM exception.
- system_password
- The WLE client application password. The authentication level is TOBJ_SYSAUTH . If the client name is NULL or empty, or exceeds 30 characters, logon raises the CORBA::BAD_PARAM exception.
Note: The system_password must not exceed 30 characters.
- user_password
- The user password (needed for use by the default WLE authentication service). The authentication level is TOBJ_APPAUTH .
- user_data
- Data that is specific to the client application (needed for use by a custom WLE authentication service). The authentication level is TOBJ_APPAUTH .
Note: TOBJ_SYSAUTH includes the requirements of TOBJ_NOAUTH, plus a client application password. TOBJ_APPAUTH includes the requirements of TOBJ_SYSAUTH, plus additional information, such as a user password or user data.
Note: The user_password and user_data arguments are mutually exclusive, depending on the requirements of the authentication service used in the configuration of the WLE domain. The WLE default authentication service expects a user password. A customized authentication service may require user data. The logon call raises the CORBA::BAD_PARAM exception if both user_password and user_data are specified.
Description
This method authenticates the principal via the IIOP Listener/Handler so that the principal can access a WLE domain. This method is functionally equivalent to SecurityLevel2::PrincipalAuthenticator::authenticate , but the arguments are oriented to TUXEDO-style authentication.
Note: This method raises CORBA::BAD_INV_ORDER if it is called with an invalid SecurityCurrent object.
Return Values
The following table describes the valid return values.
Synopsis
Discards the security context associated with the principal.
OMG IDL Definition
void logoff();
Description
This call discards the security context, but does not close the network connections to the WLE domain. Logoff also invalidates the current credentials. After logging off, invocations using existing object references fail if the authentication type is not TOBJ_NOAUTH .
If the principal is currently authenticated to a WLE domain, calling Tobj_Bootstrap::destroy_current() calls logoff implicitly.
Note: This method raises CORBA::BAD_INV_ORDER if it is called with an invalid SecurityCurrent object.
Return Values
None.
Synopsis
Creates authentication data and attributes for use by SecurityLevel2::PrincipalAuthenticator::authenticate .
OMG IDL Definition
void build_auth_data(
in string user_name,
in string client_name,
in string system_password,
in string user_password,
in UserAuthData user_data,
out Security::Opaque auth_data,
out Security::AttributeList privileges
);Arguments
- user_name
- The WLE user name.
- client_name
- The WLE client name.
- system_password
- The WLE client application password.
- user_password
- The user password (default WLE authentication service).
- user_data
- Client application-specific data (custom WLE authentication service).
- auth_data
- For use by authenticate .
- privileges
- For use by authenticate .
Note: If user_name , client_name , or system_password is NULL or empty, or exceeds 30 characters, the subsequent authenticate method invocation raises the CORBA::BAD_PARAM exception.
Note: The user_password and user_data parameters are mutually exclusive, depending on the requirements of the authentication service used in the configuration of the WLE domain. The WLE default authentication service expects a user password. A customized authentication service may require user data. If both user_password and user_data are specified, the subsequent authentication call raises the CORBA::BAD_PARAM exception.
Description
This method is a helper function that creates authentication data and attributes to be used by SecurityLevel2::PrincipalAuthenticator::authenticate .
Note: This method raises CORBA::BAD_INV_ORDER if it is called with an invalid SecurityCurrent object.
Return Values
None.
Copyright © 1999 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.