|
|
|
|
|
|
Using Security
This topic describes how to use security in CORBA C++, CORBA Java, and ActiveX client applications for the BEA WebLogic Enterprise software. For a more detailed description of using security in WebLogic Enterprise applications, see Using Security.
For an example of how security is implemented in working client applications, see the description of the Security sample application in the Guide to the University Sample Applications.
For an overview of the SecurityCurrent object, see Chapter 1, "Client Application Development Concepts."
Overview of WebLogic Enterprise Security
CORBA C++, CORBA Java, and ActiveX client applications use security to authenticate themselves to the WebLogic Enterprise domain. Authentication is the process of verifying the identity of a client application. By entering the correct logon information, the client application authenticates itself to the WebLogic Enterprise domain. The WebLogic Enterprise software uses authentication as defined in the CORBAservices Security Service and provides extensions for ease of use.
A client application must provide security information according to the security level defined in the desired WebLogic Enterprise domain. This information is defined by the WebLogic Enterprise system administrator in the UBBCONFIG file for the WebLogic Enterprise domain. When creating client applications, you must work with the WebLogic Enterprise system administrator to obtain the correct security information (such as the username and user password) for the WebLogic Enterprise domain you want to access from the client application.
Summary of the Development Process for Security
The steps for adding security to a client application are as follows:
|
Step |
Description |
|---|---|
|
1 |
Use the Bootstrap object to obtain a reference to the SecurityCurrent object in the specified WebLogic Enterprise domain. |
|
2 |
Get the PrincipalAuthenticator object from the SecurityCurrent object. |
|
3 |
Use the get_auth_type operation of the PrincipalAuthenticator object to return the type of authentication expected by the WebLogic Enterprise domain. |
|
4 |
Log on to the WebLogic Enterprise domain using the required security information. |
|
5 |
Log off the WebLogic Enterprise domain. |
The following sections describe these steps and use portions of the client applications in the Security sample application to illustrate the steps. For information about the Security sample application, see the Guide to the University Sample Applications. The Security sample application is located in the following directory on the WebLogic Enterprise software kit:
drive:\WLEdir\samples\corba\university\security
Step 1: Using the Bootstrap Object to Obtain the SecurityCurrent Object
Use the Bootstrap object to obtain an object reference to the SecurityCurrent object for the specified WebLogic Enterprise domain. The SecurityCurrent object is a SecurityLevel2::Current object as defined by the CORBAservices Security Service. For a complete description of the SecurityCurrent object, see Using Security.
The following C++ , Java, and Visual Basic examples illustrate how the Bootstrap object is used to return the SecurityCurrent object:
C++
CORBA::Object_var var_security_current_oref =
bootstrap.resolve_initial_references("SecurityCurrent");
SecurityLevel2::Current_var var_security_current_ref =
SecurityLevel2::Current::_narrow(var_security_current_oref.in());
Java
org.omg.CORBA.Object SecurityCurrentObj =
gBootstrapObjRef.resolve_initial_references("SecurityCurrent");
org.omg.SecurityLevel2.Current secCur =
org.omg.SecurityLevel2.CurrentHelper.narrow(secCurObj);
Visual Basic
Set objSecurityCurrent = objBootstrap.CreateObject("Tobj.SecurityCurrent")
Step 2: Getting the PrincipalAuthenticator Object from the SecurityCurrent Object
The SecurityCurrent object returns a reference to the PrincipalAuthenticator for the WebLogic Enterprise domain. The PrincipalAuthenticator is used to get the authentication level required for an WebLogic Enterprise domain.
The following C++, Java, and Visual Basic examples illustrate how to obtain the PrincipalAuthenticator for an WebLogic Enterprise domain:
C++
//Get the PrincipalAuthenticator
SecurityLevel2::PrincipalAuthenticator_var var_principal_authenticator_oref =
var_security_current_oref->principal_authenticator();
//Narrow the PrincipalAuthenticator
Tobj::PrincipalAuthenticator_var var_bea_principal_authenticator =
Tobj::PrincipalAuthenticator::_narrow
var_principal_authenticator_oref.in());
Java
//Get the PrincipalAuthenticator
org.omg.SecurityLevel2.PrincipalAuthenticator authlevel2 =
secCur.principal_authenticator();
//Narrow the PrincipalAuthenticator
com.beasys.Tobj.PrincipalAuthenticatorObjRef gPrinAuthObjRef =
(com.beasys.Tobj.PrincipalAuthenticator)
org.omg.SecurityLevel2.PrincipalAuthenticatorHelper.narrow(authlevel2);
Visual Basic
Set objPrincAuth = objSecurityCurrent.principal_authenticator
Step 3: Obtaining the Authentication Level
Use the Tobj::PrincipalAuthenticator::get_auth_type() method to get the level of authentication required by the WebLogic Enterprise domain.
For a complete description of the Tobj::PrincipalAuthenticator methods, see Using Security.
The following C++, Java, and Visual Basic examples illustrate how to obtain the PrincipalAuthenticator for an WebLogic Enterprise domain:
C++
//Determine the security level
Tobj::AuthType auth_type = var_bea_principal_authenticator->get_auth_type();
Java
//Determine the security level
com.beasys.Tobj.Authtype authType = gPrinAuthObjRef.get_auth_type();
Visual Basic
AuthorityType = objPrinAuth.get_auth_type
Step 4: Logging on to the WebLogic Enterprise Domain with Proper Authentication
Use the Tobj::PrincipalAuthenticator::logon() method to log your client application into the desired WebLogic Enterprise domain. The method requires the following arguments:
The WebLogic Enterprise username. This information is required for TOBJ_SYSAUTH and TOBJ_APPAUTH authentication levels. This information may be supplied for the TOBJ_NOAUTH authentication level; however, it is not required. The system designer decides this name at design time.
The WebLogic Enterprise client application name. This information is required for TOBJ_SYSAUTH and TOBJ_APPAUTH authentication levels. This information may be supplied for the TOBJ_NOAUTH authentication level; however, it is not required. Obtain this information from the system administrator.
The WebLogic Enterprise password. This information is required for TOBJ_SYSAUTH and TOBJ_APPAUTH authentication levels. Obtain this information from the system administrator.
The user password for the WebLogic Enterprise authentication service. This information is required for the TOBJ_APPAUTH authentication level.
Application-specific data for authentication. This information is required when the WebLogic Enterprise domain the client application is accessing is not using the authentication service provided with the WebLogic Enterprise software.
The user_password and user_data arguments are mutually exclusive, depending on the authentication service used in the configuration of the WebLogic Enterprise software. If you are using an authentication service other than an authentication service provided by the WebLogic Enterprise software, provide the information required for logon in the user_data argument. The Tobj::PrincipalAuthenticator::logon() method raises a CORBA::BAD_PARAM exception if both user_password and user_data are set.
If an WebLogic Enterprise domain has a TOBJ_NOAUTH authentication level, the client application is not required to supply a user_name or client_name when logging on to the WebLogic Enterprise domain. If the client application does not logon with a user_name and client_name, the IIOP Listener/Handler of the WebLogic Enterprise domain registers the client application with the user_name and the client_name set for the IIOP Listener/Handler in the UBBCONFIG file. However, the client application can log on with any user_name and client_name.
The logon() method returns one of the following:
The following C++, Java, and Visual Basic examples illustrate how to use the Tobj::PrincipalAuthenticator::logon() method:
C++
Tobj::AuthType auth_type = var_bea_principal_authenticator->get_auth_type();
Security::AuthenticationStatus status = var_bea_principalauthenticator->logon(
user_name,
client_name,
system_password,
user_password,
0);
Java
org.omg.Security.AuthenticationStatus status = gPrinAuthObjRef.logon
(gUserName, ClientName, gSystemPassword, gUserPassword,0);
Visual Basic
If AuthorityType = TOBJ_APPAUTH Then logonStatus = oPrincAuth.Logon(
UserName,_
ClientName,_
SystemPassword,_
UserPassword,_
UserData)
End If
Step 5: Logging off the WebLogic Enterprise Domain
The client application must log off the current WebLogic Enterprise domain before it can log on as another user in the same WebLogic Enterprise domain. Use the Tobj::PrincipalAuthenticator::logoff() method to discard the WebLogic Enterprise current authentication context and credentials. This method does not close the network connections to the WebLogic Enterprise domain. After logging off the WebLogic Enterprise domain, calls using the existing authentication fail if the authentication type is not TP_NOAUTH.
|
|
|
|
|
|
Copyright © 2000 BEA Systems, Inc. All rights reserved.
|