> Using Security in CORBA Applications > Security Modules

Using Security in CORBA Applications

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Security Modules

This topic contains the Object Management Group (OMG) Interface Definition Language (IDL) definitions for the following modules that are used in the CORBA security model:

Notes: The BEA Tuxedo CORBA Java client and BEA Tuxedo CORBA Java client ORB were deprecated in Tuxedo 8.1 and are no longer supported. All BEA Tuxedo CORBA Java client and BEA Tuxedo CORBA Java client ORB text references, associated code samples, should only be used to help implement/run third party Java ORB libraries, and for programmer reference only.
Note: Technical support for third party CORBA Java ORBs should be provided by their respective vendors. BEA Tuxedo does not provide any technical support or documentation for third party CORBA Java ORBs.

CORBA Module

The OMG added the CORBA::Current interface to the CORBA module to support the Current pseudo-object. This change enables the CORBA module to support Security Replaceability and Security Level 2.

Listing 13-1 shows the CORBA::Current interface OMG IDL statements.

Note: This information is taken from CORBAservices: Common Object Services Specification, p. 15-230. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
Listing 13-1 CORBA::Current Interface OMG IDL Statements 
module CORBA {
       // Extensions to CORBA
       interface Current {
       };
};

TimeBase Module

All data structures pertaining to the basic Time Service, Universal Time Object, and Time Interval Object are defined in the TimeBase module. This allows other services to use these data structures without requiring the interface definitions. The interface definitions and associated enums and exceptions are encapsulated in the TimeBase module.

Listing 13-2 shows the TimeBase module OMG IDL statements.

Note: This information is taken from CORBAservices: Common Object Services Specification, p. 14-5. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
Listing 13-2 TimeBase Module OMG IDL Statements 
// From time service
module TimeBase {
       // interim definition of type ulonglong pending the
       // adoption of the type extension by all client ORBs.
       struct ulonglong {
              unsigned long      low;
              unsigned long      high;
       };
       typedef ulonglong         TimeT;
       typedef short             TdfT;
       struct UtcT { 
              TimeT              time;     // 8 octets
              unsigned long      inacclo;  // 4 octets
              unsigned short     inacchi;  // 2 octets
              TdfT              tdf;       // 2 octets
                                          // total 16 octets
       };
};

Table 13-1 defines the TimeBase module data types.

Note: This information is taken from CORBAservices: Common Object Services Specification, p. 14-6. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.

Table 13-1 TimeBase Module Data Type Definitions 
Data Type
Definition
Time ulonglong

OMG IDL does not at present have a native type representing an unsigned 64-bit integer. The adoption of technology submitted against that RFP will provide a means for defining a native type representing unsigned 64-bit integers in OMG IDL.

Pending the adoption of that technology, you can use this structure to represent unsigned 64-bit integers, understanding that when a native type becomes available, it may not be interoperable with this declaration on all platforms. This definition is for the interim, and is meant to be removed when the native unsigned 64-bit integer type becomes available in OMG IDL.

Time TimeT
TimeT represents a single time value, which is 64-bit in size, and holds the number of 100 nanoseconds that have passed since the base time. For absolute time, the base is 15 October 1582 00:00.
Time TdfT
TdfT is of size 16 bits short type and holds the time displacement factor in the form of seconds of displacement from the Greenwich Meridian. Displacements east of the meridian are positive, while those to the west are negative.
Time UtcT
UtcT defines the structure of the time value that is used universally in the service. When the UtcT structure is holding, a relative or absolute time is determined by its history. There is no explicit flag within the object holding that state information. The inacclo and inacchi fields together hold a value of type InaccuracyT packed into 48 bits. The tdf field holds time zone information. Implementation must place the time displacement factor for the local time zone in this field whenever it creates a Universal Time Object (UTO).
The content of this structure is intended to be opaque; to be able to marshal it correctly, the types of fields need to be identified.

Security Module

The Security module defines the OMG IDL for security data types common to the other security modules. This module depends on the TimeBase module and must be available with any ORB that claims to be security ready.

Listing 13-3 shows the data types supported by the Security module.

Note: This information is taken from CORBAservices: Common Object Services Specification, p. 15-193 to 15-195. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
Listing 13-3 Security Module OMG IDL Statements 
module Security {
        typedef sequence<octet>   Opaque;

       // Extensible families for standard data types
       struct ExtensibleFamily {
              unsigned short       family_definer;
              unsigned short       family;
        };
       //security attributes
       typedef unsigned long        SecurityAttributeType;

       // identity attributes; family = 0
       const SecurityAttributeType  AuditId = 1;
       const SecurityAttributeType  AccountingId = 2;
       const SecurityAttributeType  NonRepudiationId = 3;

       // privilege attributes; family = 1
       const SecurityAttributeType  Public = 1;
       const SecurityAttributeType  AccessId = 2;
       const SecurityAttributeType  PrimaryGroupId = 3;
       const SecurityAttributeType  GroupId = 4;
       const SecurityAttributeType  Role = 5;
       const SecurityAttributeType  AttributeSet = 6;
       const SecurityAttributeType  Clearance = 7;
       const SecurityAttributeType  Capability = 8;

       struct AttributeType {
               ExtensibleFamily       attribute_family;
               SecurityAttributeType  attribute_type;
       };

       typedef sequence <AttributeType>   AttributeTypeLists;
       struct SecAttribute {
              AttributeType   attribute_type;
              Opaque          defining_authority;
              Opaque          value;
              // The value of this attribute can be
             // interpreted only with knowledge of type
       };

       typedef sequence<SecAttribute>  AttributeList;

       // Authentication return status
       enum AuthenticationStatus {
              SecAuthSuccess,
              SecAuthFailure,
              SecAuthContinue,
              SecAuthExpired
       };
       // Authentication method
        typedef unsigned long   AuthenticationMethod;
        enum CredentialType {
              SecInvocationCredentials;
              SecOwnCredentials;
              SecNRCredentials
       // Pick up from TimeBase
       typedef TimeBase::UtcT   UtcT;
};

Table 13-2 describes the Security module data type.

Table 13-2 Security Module Data Type Definition
Data Type
Definition
sequence<octet>
Data whose representation is known only to the Security Service implementation.

Security Level 1 Module

This section defines those interfaces available to client application objects that use only Level 1 Security functionality. This module depends on the CORBA module and the Security and TimeBase modules. The Current interface is implemented by the ORB.

Listing 13-4 shows the Security Level 1 module OMG IDL statements.

Note: This information is taken from CORBAservices: Common Object Services Specification, p. 15-198. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
Listing 13-4 Security Level 1 Module OMG IDL Statements 
module SecurityLevel1 {
       interface Current : CORBA::Current {	// PIDL
             Security::AttributeList get_attributes(
               in Security::AttributeTypeList  attributes
            );
       };
};

Security Level 2 Module

This section defines the additional interfaces available to client application objects that use Level 2 Security functionality. This module depends on the CORBA and Security modules.

Listing 13-5 shows the Security Level 2 module OMG IDL statements.

Note: This information is taken from CORBAservices: Common Object Services Specification, p. 15-198 to 15-200. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.
Listing 13-5 Security Level 2 Module OMG IDL Statements 
module SecurityLevel2 {
       // Forward declaration of interfaces
       interface PrincipalAuthenticator;
       interface Credentials;
       interface Current;
      // Interface Principal Authenticator
       interface PrincipalAuthenticator {
            Security::AuthenticationStatus authenticate(
                   in Security::AuthenticationMethod  method,
                   in string                   security_name,
                   in Security::Opaque         auth_data,
                   in Security::AttributeList  privileges,
                   out Credentials             creds,
                   out Security::Opaque        continuation_data,
                   out Security::Opaque        auth_specific_data
             );

             Security::AuthenticationStatus
                           continue_authentication(
                     in Security::Opaque       response_data,
                     inout Credentials         creds,
                     out Security::Opaque      continuation_data,
                     out Security::Opaque      auth_specific_data
             );
        };

       // Interface Credentials
       interface Credentials {
              attribute Security::AssociationOptions
                                  invocation_options_supported;
		attribute Security::AssociationOptions
					invocation_options_required;
		Security::AttributeList get_attributes(
                   in Security::AttributeTypeList   attributes
              );
              boolean is_valid(
                     out Security::UtcT      expiry_time
              );
       };

       // Interface Current derived from SecurityLevel1::Current
       // providing additional operations on Current at this
       // security level. This is implemented by the ORB.
       interface Current : SecurityLevel1::Current { // PIDL
              void set_credentials(
                     in Security::CredentialType   cred_type,
                     in Credentials                cred
              );

              Credentials get_credentials(
                   in Security::CredentialType   cred_type
              );
              readonly attribute PrincipalAuthenticator
                        principal_authenticator;
      };
};

Tobj Module

This section defines the Tobj module interfaces.

This module provides the interfaces you use to program the ATMI-style of authentication.

Listing 13-6 shows the Tobj module OMG IDL statements.

Listing 13-6 Tobj Module OMG IDL Statements 
//Tobj Specific definitions

        //get_auth_type () return values
        enum AuthType {
              TOBJ_NOAUTH,
              TOBJ_SYSAUTH,
              TOBJ_APPAUTH
       };
       typedef sequence<octet>    UserAuthData;
      interface PrincipalAuthenticator :
              SecurityLevel2::PrincipalAuthenticator { // PIDL
               AuthType get_auth_type();
              Security::AuthenticationStatus logon(
                     in string            user_name,
                     in string            client_name,
                     in string            system_password,
                     in string            user_password,
                     in UserAuthData      user_data
               );
               void logoff();
              void build_auth_data(
                     in string                    user_name,
                     in string                    client_name,
                     in string                    system_password,
                     in string                    user_password,
                     in UserAuthData              user_data,
                     out Security::Opaque         auth_data,
                     out Security::AttributeList  privileges
              );
        };
};

  Back to Top       Previous  Next