This topic contains the Automation method descriptions for CORBA security. This topic includes the following section:
Notes: | The Automation security methods do not support certificate authentication or the use of the SSL protocol. |
Note: | The Oracle Tuxedo CORBA Java client and Oracle Tuxedo CORBA Java client ORB were deprecated in Tuxedo 8.1 and are no longer supported. All Oracle Tuxedo CORBA Java client and Oracle Tuxedo CORBA Java client ORB text references, associated code samples, should only be used to help implement/run third party Java ORB libraries, and for programmer reference only. |
Note: | Technical support for third party CORBA Java ORBs should be provided by their respective vendors. Oracle Tuxedo does not provide any technical support or documentation for third party CORBA Java ORBs. |
This section describes the Automation Security Service methods.
The DISecurityLevel2_Current
object is an Oracle implementation of the CORBA Security model. In this release of the Oracle Tuxedo software, the get_attributes()
, set_credentials()
, get_credentials()
, and Principal_Authenticator()
methods are supported.
Returns attributes for the Current interface.
HRESULT get_attributes(
[in] VARIANT attributes,
[in,out,optional] VARIANT* exceptionInfo,
[out,retval] VARIANT* returnValue);
Function get_attributes(attributes, [exceptionInfo])
attributes
exceptioninfo
This method gets privilege (and other) attributes from the credentials for the client application from the Current interface.
A variant containing an array of DISecurity_SecAttribute
objects. The following table describes the valid return values.
HRESULT set_credentials(
[in] Security_CredentialType cred_type,
[in] DISecurityLevel2_Credentials* cred,
[in,out,optional] VARIANT* exceptionInfo);
Sub set_credentials(cred_type As Security_CredentialType,
cred As DISecurityLevel2_Credentials,
[exceptionInfo])
This method can be used only to set SecInvocationCredentials
; otherwise, set_credentials
raises CORBA::BAD_PARAM
. The credentials must have been obtained from a previous call to DISecurityLevel2_Current.get_credentials
.
cred_type
cred
exceptioninfo
HRESULT get_credentials(
[in] Security_CredentialType cred_type,
[in,out,optional] VARIANT* exceptionInfo,
[out,retval] DISecurityLevel2_Credentials** returnValue);
Function get_credentials(cred_type As Security_CredentialType,
[exceptionInfo]) As DISecurityLevel2_Credentials
This call can be used only to get SecInvocationCredentials
; otherwise, get_credentials
raises CORBA::BAD_PARAM
. If no credentials are available, get_credentials
raises CORBA::BAD_INV_ORDER
.
cred_type
exceptioninfo
A DISecurityLevel2_Credentials
object for the active credentials in the client application only.
Returns the PrincipalAuthenticator.
HRESULT principal_authenticator([out, retval]
DITobj_PrincipalAuthenticator** returnValue);
Property principal_authenticator As DITobj_PrincipalAuthenticator
The PrincipalAuthenticator
returned by the principal_authenticator
property is of actual type DITobj_PrincipalAuthenticator
. Therefore, it can be used as a DISecurityLevel2_PrincipalAuthenticator
.
Note: | This method raises CORBA::BAD_INV_ORDER if it is called on an invalid SecurityCurrent object. |
A DITobj_PrincipalAuthenticator
object.
The DITobj_PrincipalAuthenticator
object is used to log in to and log out of the Oracle Tuxedo domain. In this release of the Oracle Tuxedo software, the authenticate
, build_auth_data()
, continue_authentication(),
get_auth_type()
, logon(),
and logoff()
methods are implemented.
Authenticates the client application.
HRESULT authenticate(
[in] long method,
[in] BSTR security_name,
[in] VARIANT auth_data,
[in] VARIANT privileges,
[out] DISecurityLevel2_Credentials**
creds,
[out] VARIANT* continuation_data,
[out] VARIANT* auth_specific_data,
[in,out,optional] VARIANT* exceptionInfo,
[out,retval] Security_AuthenticationStatus* returnValue);
Function authenticate(method As Long, security_name As String,
auth_data, privileges, creds As DISecurityLevel2_Credentials,
continuation_data, auth_specific_data,
[exceptionInfo]) As Security_AuthenticationStatus
method
security_name
auth_data
DITobj_PrincipalAuthenticator.build_auth_data
. If auth_data
is invalid, authenticate
raises CORBA::BAD_PARAM
.
privileges
DITobj_PrincipalAuthenticator.build_auth_data.
If privileges
is invalid, authenticate
raises CORBA::BAD_PARAM
.
creds
continuation_data
auth_specific_data
exceptioninfo
Description
This method authenticates the client application via the IIOP Listener/Handler so that it can access an Oracle Tuxedo domain.
A Security_AuthenticationStatus
Enum value. The following table describes the valid return values.
Creates authentication data and attributes for use by DITobj_PrincipalAuthenticator.authenticate
.
HRESULT build_auth_data(
[in] BSTR user_name,
[in] BSTR client_name,
[in] BSTR system_password,
[in] BSTR user_password,
[in] VARIANT user_data,
[out] VARIANT* auth_data,
[out] VARIANT* privileges,
[in,out,optional] VARIANT* exceptionInfo);
Sub build_auth_data(user_name As String, client_name As String,
system_password As String, user_password As String, user_data,
auth_data, privileges, [exceptionInfo])
Arguments
user_name
client_name
system_password
user_password
user_data
auth_data
privileges
exceptioninfo
Note: | If user_name , client_name , or system_password is NULL or empty, or exceeds 30 characters, the subsequent authenticate method invocation raises the CORBA::BAD_PARAM exception. |
Note: | The user_password and user_data parameters are mutually exclusive, depending on the requirements of the authentication service used in the configuration of the Oracle Tuxedo domain. The default authentication service expects a user password. A customized authentication service may require user data. If both user_password and user_data are specified, the subsequent authentication call raises the CORBA::BAD_PARAM exception. |
Description
This method is a helper function that creates authentication data and attributes to be used by DITobj_PrincipalAuthenticator.authenticate
.
Note: | This method raises CORBA::BAD_INV_ORDER if it is called with an invalid SecurityCurrent object. |
Always returns Security::AuthenticationStatus::SecAuthFailure.
HRESULT continue_authentication(
[in] VARIANT response_data,
[in,out] DISecurityLevel2_Credentials** creds,
[out] VARIANT* continuation_data,
[out] VARIANT* auth_specific_data,
[in,out,optional] VARIANT* exceptionInfo,
[out,retval] Security_AuthenticationStatus* returnValue);
Function continue_authentication(response_data,
creds As DISecurityLevel2_Credentials, continuation_data,
auth_specific_data, [exceptionInfo]) As
Security_AuthenticationStatus
Because the Oracle Tuxedo software does authentication in one step, this method always fails and returns Security::AuthenticationStatus::SecAuthFailure
.
Always returns SecAuthFailure
.
Gets the type of authentication expected by the Oracle Tuxedo domain.
HRESULT get_auth_type(
[in, out, optional] VARIANT* exceptionInfo,
[out, retval] Tobj_AuthType* returnValue);
Function get_auth_type([exceptionInfo]) As Tobj_AuthType
exceptioninfo
This method returns the type of authentication expected by the Oracle Tuxedo domain.
Note: | This method raises CORBA::BAD_INV_ORDER if it is called with an invalid SecurityCurrent object. |
A reference to the Tobj_AuthType
enumeration. The following table describes the valid return values.
Logs in to the Oracle Tuxedo domain. The correct input parameters depend on the authentication level.
HRESULT logon(
[in] BSTR user_name,
[in] BSTR client_name,
[in] BSTR system_password,
[in] BSTR user_password,
[in] VARIANT user_data,
[in,out,optional] VARIANT* exceptionInfo,
[out,retval] Security_AuthenticationStatus*
returnValue);
Function logon(user_name As String, client_name As String,
system_password As String, user_password As String,
user_data, [exceptionInfo]) As Security_AuthenticationStatus
For remote CORBA client applications, this method authenticates the client application via the IIOP Listener/Handler so that the remote client application can access an Oracle Tuxedo domain. This method is functionally equivalent to DITobj_PrincipalAuthenticator.authenticate
, but the parameters are oriented to security.
user_name
TOBJ_NOAUTH
, TOBJ_SYSAUTH
, and TOBJ_APPAUTH
authentication levels.
client_name
TOBJ_NOAUTH
, TOBJ_SYSAUTH
, and TOBJ_APPAUTH
authentication levels.
TOBJ_SYSAUTH
and TOBJ_APPAUTH
authentication levels.
user_password
TOBJ_APPAUTH
authentication level.
TOBJ_APPAUTH
authentication level.
Note: | If user_name , client_name , or system_password is NULL or empty, or exceeds 30 characters, the subsequent authenticate method invocation raises the CORBA::BAD_PARAM exception. |
Note: | If the authorization level is TOBJ_APPAUTH , only one of user_password or user_data may be supplied. |
exceptioninfo
The following table describes the valid return values.
Discards the current security context associated with the CORBA client application.
HRESULT logoff([in, out, optional] VARIANT* exceptionInfo);
This call discards the context associated with the CORBA client application, but does not close the network connections to the Oracle Tuxedo domain. Logoff
also invalidates the current credentials. After logging off, calls using existing object references fail if the authentication type is not TOBJ_NOAUTH
.
If the client application is currently authenticated to an Oracle Tuxedo domain, calling Tobj_Bootstrap.destroy_current()
calls logoff
implicitly.
exceptioninfo
The DISecurityLevel2_Credentials
object is an Oracle implementation of the CORBA Security model. In this release of the Oracle Tuxedo software, the get_attributes()
and is_valid()
methods are supported.
Gets the attribute list attached to the credentials.
HRESULT get_attributes(
[in] VARIANT attributes,
[in,out,optional] VARIANT* exceptionInfo,
[out,retval] VARIANT* returnValue);
Function get_attributes(attributes, [exceptionInfo])
attributes
exceptioninfo
This method returns the attribute list attached to the credentials of the client application. In the list of attribute types, you are required to include only the type value(s) for the attributes you want returned in the AttributeList
. Attributes are not currently returned based on attribute family or identities. In most cases, this is the same result you would get if you called DISecurityLevel2.Current::get_attributes()
, since there is only one valid set of credentials in the client application at any instance in time. The results could be different if the credentials are not currently in use.
A variant containing an array of DISecurity_SecAttribute
objects.
Checks the status of credentials.
HRESULT is_valid(
[out] IDispatch** expiry_time,
[in,out,optional] VARIANT* exceptionInfo,
[out,retval] VARIANT_BOOL* returnValue
Function is_valid(expiry_time As Object,
[exceptionInfo]) As Boolean
This method returns TRUE
if the credentials used are active at the time; that is, you did not call DITobj_PrincipalAuthenticator.logoff
or destroy_curren
t. If this method is called after DITobj_PrincipalAuthenticator.logoff()
, FALSE
is returned. If this method is called after destroy_current()
, the CORBA::BAD_INV_ORDER
exception is raised.
The output expiry_time
as a DITimeBase_UtcT
object set to max
.