|
|
|
|
|
|
| | | |
Security/Authentication
The following section is split into four sections:
Authenticating using JNDI with WebLogic Server
If your client application will be providing security credentials (e.g. username and password) which are then used by WLS to authenticate access using JNDI authentication, you need to do the following:
The jCOM bridge is what allows COM clients (such as Excel) to access EJB's hosted on WebLogic Server. To provide JNDI Authentication you need to add the appropriate properties before calling InitialContext:
Context.SECURITY_AUTHENTICATION
Context.SECURITY_PRINCIPAL
Context.SECURITY_CREDENTIALS
Look at the jCOM bridge provided with the WebLogic jCOM examples (e.g. c:\bea\wlserver6.1\jcom\samples\JCOMBridge.java). You will notice the above three lines of code, uncomment them in the login method.
For example, for VBA:
'Access the jCOM bridge (without accessing any jCOM files)
Set objBridge = GetObject("objref:...:")
'Set the username and password for JNDI Authentication
Dim bridge As Object
Set bridge = objBridge.get("ejb:JCOMBridge")
bridge.login "newUsername", "newPassword"
'Bind the EJB AccountHome object via JNDI
Set mobjHome = objBridge.get("ejb:beanManaged.AccountHome")
For more information on JNDI Authentication with WebLogic Server, see: http://download.oracle.com/docs/cd/E13222_01/wls/docs61/security/prog.html#1024165.
Authenticating Java clients accessing COM components
WebLogic jCOM lets you access COM Components from Java using no authentication, or with the equivalent of Connect level authentication.
Running your Java code under Windows
If running under Windows, and you wish WebLogic jCOM to pick up your current identity automatically, simply place the WebLogic jCOM bin directory in your PATH environment variable.
Running your Java code on non-Windows platforms
If not running under Windows, or if you don't want WebLogic jCOM to use native code to pick up your current identity then call AuthInfo.setDefault(...) at the start of your program to set the authentication to be used on a process-wide basis when creating and using COM components.
You may override this process-wide default using AuthInfo.setThreadDefault(...), which establishes the authentication to be used for the current thread. To clear the authentication established for the current thread, call AuthInfo.setThreadDefault(null).
It is strongly recommended that you call AuthInfo.setDefault(...) to establish the authentication to be used on a JVM-wide basis, so that WebLogic jCOM daemon threads can perform authenticated communications (for example when releasing COM object references that have been garbage collected).
WebLogic jCOM currently only supports Authentication, not Encryption. If you would like encryption added, then please contact us.
Verifying that authenticated access is taking place
Under Windows NT, you may verify that authenticated access is taking place.
Start the User Manager for Domains tool using Start|Programs|Administrative Tools|User Manager for Domains, and then display the Audit Policies dialog using Policies|Audit.
From there you may enable the auditing of logins and logoffs:
Having enabled the auditing, start the Event Viewer using Start|Programs|Administrative Tools|Event Viewer, and view the security log using Log|Security.
WebLogic jCOM will send the name of the host under which it is running, with the string "(jCOM)", to be logged as the workstation name.
Identifying the identity of COM clients calling your Java code
When a COM client invokes methods in your Java object via WebLogic jCOM's DCOM engine, you can call:
Authenticating NT domain/user/passwords from pure Java software
In order to validate a domain/user/password from a Java program running on a UNIX box (or anywhere) use the static com.bea.jcom.NTLMAuthenticate.validate(...) method.
This is the Javadoc associated with the method:
public static void validate(String pdcTcpHost, String domain, String user, String password) throws IOException
Attempt to authenticate an NT domain/user/password. Works from anywhere that supports Java and requires no native code (just the jcom.jar runtime). No password is transmitted over the network (WebLogic jCOM implements the NT Challenge-Response mechanism). If the domain/user/password are valid then this method simply returns, otherwise a security exception is thrown.
Parameters:
pdcTcpHost - the IP name of an NT machine against which WebLogic jCOM can perform the authentication
domain - the NT Domain name of the user
user - the NT user name of the user
password - the user's password
Throws: SecurityException
if the domain/user/password are not correct
Throws: IOException
if there were problems talking to the NT box against which the authentication was to take place
Note: This method does not have anything to do with our WebLogic jCOM pure Java-COM bridge, and you never need to call it when using WebLogic jCOM to access COM objects from Java, or the reverse.
Since we have implemented the NT Challenge-Response mechanism in pure Java as part of our DCOM engine, it was trivial to expose this method, which may be useful.
Listening for new connections from COM clients
This mechanism is not implemented when running in native mode.
Through WebLogic jCOM's ConnectionListener mechanism you can ask to be notified when new DCOM connections are opened and closed from COM clients, and you can reject incoming connections.
Create a class that implements the com.bea.jcom.ConnectionListener interface, and register an instance of that class by calling com.bea.jcom.Cleaner.addConnectionListener(...).
|
|
|
|
|
|
Copyright © 2001 BEA Systems, Inc. All rights reserved.
|