Security Modules

Security Modules

Security Modules

This topic contains the Object Management Group (OMG) Interface Definition Language (IDL) definitions for the following modules that are used in the CORBA security model:

•

CORBA

•

TimeBase

•

Security

•

Security Level 1

•

Security Level 2

•

Tobj

Notes:

The Oracle Tuxedo CORBA Java client and Oracle Tuxedo CORBA Java client ORB were deprecated in Tuxedo 8.1 and are no longer supported. All Oracle Tuxedo CORBA Java client and Oracle Tuxedo CORBA Java client ORB text references, associated code samples, should only be used to help implement/run third party Java ORB libraries, and for programmer reference only.

Technical support for third party CORBA Java ORBs should be provided by their respective vendors. Oracle Tuxedo does not provide any technical support or documentation for third party CORBA Java ORBs.

CORBA Module

The OMG added the CORBA::Current interface to the CORBA module to support the Current pseudo-object. This change enables the CORBA module to support Security Replaceability and Security Level 2.

Listing 13‑1 shows the CORBA::Current interface OMG IDL statements.

Note:

This information is taken from CORBAservices: Common Object Services Specification, p. 15-230. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.

Listing 13‑1 CORBA::Current Interface OMG IDL Statements

module CORBA {
// Extensions to CORBA
interface Current {
};
};

TimeBase Module

All data structures pertaining to the basic Time Service, Universal Time Object, and Time Interval Object are defined in the TimeBase module. This allows other services to use these data structures without requiring the interface definitions. The interface definitions and associated enums and exceptions are encapsulated in the TimeBase module.

Listing 13‑2 shows the TimeBase module OMG IDL statements.

Note:

This information is taken from CORBAservices: Common Object Services Specification, p. 14-5. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.

Listing 13‑2 TimeBase Module OMG IDL Statements

// From time service
module TimeBase {
       // interim definition of type ulonglong pending the
       // adoption of the type extension by all client ORBs.
       struct ulonglong {
              unsigned long low;
              unsigned long high;
       };
       typedef ulonglong TimeT;
       typedef short TdfT;
       struct UtcT {
              TimeT time; // 8 octets
              unsigned long inacclo; // 4 octets
              unsigned short inacchi; // 2 octets
              TdfT tdf; // 2 octets
                                           // total 16 octets
       };
};

Table 13‑1 defines the TimeBase module data types.

Note:

This information is taken from CORBAservices: Common Object Services Specification, p. 14-6. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.

Table 13‑1 TimeBase Module Data Type Definitions

Data Type

Definition

Time ulonglong

OMG IDL does not at present have a native type representing an unsigned 64-bit integer. The adoption of technology submitted against that RFP will provide a means for defining a native type representing unsigned 64-bit integers in OMG IDL.

Pending the adoption of that technology, you can use this structure to represent unsigned 64-bit integers, understanding that when a native type becomes available, it may not be interoperable with this declaration on all platforms. This definition is for the interim, and is meant to be removed when the native unsigned 64-bit integer type becomes available in OMG IDL.

Time TimeT

TimeT represents a single time value, which is 64-bit in size, and holds the number of 100 nanoseconds that have passed since the base time. For absolute time, the base is 15 October 1582 00:00.

Time TdfT

TdfT is of size 16 bits short type and holds the time displacement factor in the form of seconds of displacement from the Greenwich Meridian. Displacements east of the meridian are positive, while those to the west are negative.

Time UtcT

UtcT defines the structure of the time value that is used universally in the service. When the UtcT structure is holding, a relative or absolute time is determined by its history. There is no explicit flag within the object holding that state information. The inacclo and inacchi fields together hold a value of type InaccuracyT packed into 48 bits. The tdf field holds time zone information. Implementation must place the time displacement factor for the local time zone in this field whenever it creates a Universal Time Object (UTO).

The content of this structure is intended to be opaque; to be able to marshal it correctly, the types of fields need to be identified.

Security Module

The Security module defines the OMG IDL for security data types common to the other security modules. This module depends on the TimeBase module and must be available with any ORB that claims to be security ready.

Listing 13‑3 shows the data types supported by the Security module.

Note:

This information is taken from CORBAservices: Common Object Services Specification, p. 15-193 to 15-195. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.

Listing 13‑3 Security Module OMG IDL Statements

module Security {
       typedef sequence<octet> Opaque;

       // Extensible families for standard data types
       struct ExtensibleFamily {
              unsigned short family_definer;
              unsigned short family;
        };

       //security attributes
       typedef unsigned long SecurityAttributeType;

       // identity attributes; family = 0
       const SecurityAttributeType AuditId = 1;
       const SecurityAttributeType AccountingId = 2;
       const SecurityAttributeType NonRepudiationId = 3;

       // privilege attributes; family = 1
       const SecurityAttributeType Public = 1;
       const SecurityAttributeType AccessId = 2;
       const SecurityAttributeType PrimaryGroupId = 3;
       const SecurityAttributeType GroupId = 4;
       const SecurityAttributeType Role = 5;
       const SecurityAttributeType AttributeSet = 6;
       const SecurityAttributeType Clearance = 7;
       const SecurityAttributeType Capability = 8;

       struct AttributeType {
              ExtensibleFamily attribute_family;
              SecurityAttributeType attribute_type;
       };

       typedef sequence <AttributeType> AttributeTypeLists;
       struct SecAttribute {
              AttributeType attribute_type;
              Opaque defining_authority;
              Opaque value;
              // The value of this attribute can be
              // interpreted only with knowledge of type
       };

       typedef sequence<SecAttribute> AttributeList;

       // Authentication return status
       enum AuthenticationStatus {
              SecAuthSuccess,
              SecAuthFailure,
              SecAuthContinue,
              SecAuthExpired
       };

       // Authentication method
        typedef unsigned long   AuthenticationMethod;

       enum CredentialType {
              SecInvocationCredentials;
              SecOwnCredentials;
              SecNRCredentials

       // Pick up from TimeBase
       typedef TimeBase::UtcT   UtcT;
};

Table 13‑2 describes the Security module data type.

Table 13‑2 Security Module Data Type Definition

Data Type

Definition

sequence<octet>

Data whose representation is known only to the Security Service implementation.

Security Level 1 Module

This section defines those interfaces available to client application objects that use only Level 1 Security functionality. This module depends on the CORBA module and the Security and TimeBase modules. The Current interface is implemented by the ORB.

Listing 13‑4 shows the Security Level 1 module OMG IDL statements.

Note:

This information is taken from CORBAservices: Common Object Services Specification, p. 15-198. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.

Listing 13‑4 Security Level 1 Module OMG IDL Statements

module SecurityLevel1 {
       interface Current : CORBA::Current { // PIDL
              Security::AttributeList get_attributes(
              in Security::AttributeTypeList attributes
            );
       };
};

Security Level 2 Module

This section defines the additional interfaces available to client application objects that use Level 2 Security functionality. This module depends on the CORBA and Security modules.

Listing 13‑5 shows the Security Level 2 module OMG IDL statements.

Note:

This information is taken from CORBAservices: Common Object Services Specification, p. 15-198 to 15-200. Revised Edition: March 31, 1995. Updated: November 1997. Used with permission by OMG.

Listing 13‑5 Security Level 2 Module OMG IDL Statements

module SecurityLevel2 {
       // Forward declaration of interfaces
       interface PrincipalAuthenticator;
       interface Credentials;
       interface Current;
       // Interface Principal Authenticator
       interface PrincipalAuthenticator {
              Security::AuthenticationStatus authenticate(
                   in Security::AuthenticationMethod method,
                   in string security_name,
                   in Security::Opaque auth_data,
                   in Security::AttributeList privileges,
                   out Credentials creds,
                   out Security::Opaque continuation_data,
                   out Security::Opaque auth_specific_data
             );

             Security::AuthenticationStatus
                          continue_authentication(
                     in Security::Opaque response_data,
                     inout Credentials creds,
                     out Security::Opaque continuation_data,
                     out Security::Opaque auth_specific_data
             );
        };

       // Interface Credentials
       interface Credentials {
              attribute Security::AssociationOptions
                                  invocation_options_supported;
              attribute Security::AssociationOptions
                                   invocation_options_required;
              Security::AttributeList get_attributes(
                   in Security::AttributeTypeList attributes
              );
              boolean is_valid(
                     out Security::UtcT expiry_time
              );
       };

       // Interface Current derived from SecurityLevel1::Current
       // providing additional operations on Current at this
       // security level. This is implemented by the ORB.
       interface Current : SecurityLevel1::Current { // PIDL
              void set_credentials(
                     in Security::CredentialType cred_type,
                     in Credentials cred
              );

              Credentials get_credentials(
                   in Security::CredentialType cred_type
              );
              readonly attribute PrincipalAuthenticator
                        principal_authenticator;
      };
};

Tobj Module

This section defines the Tobj module interfaces.

This module provides the interfaces you use to program the ATMI-style of authentication.

Listing 13‑6 shows the Tobj module OMG IDL statements.

Listing 13‑6 Tobj Module OMG IDL Statements

//Tobj Specific definitions

        //get_auth_type () return values
        enum AuthType {
              TOBJ_NOAUTH,
              TOBJ_SYSAUTH,
              TOBJ_APPAUTH
       };
       typedef sequence<octet> UserAuthData;
       interface PrincipalAuthenticator :
              SecurityLevel2::PrincipalAuthenticator { // PIDL
               AuthType get_auth_type();
             Security::AuthenticationStatus logon(
                     in string user_name,
                     in string client_name,
                     in string system_password,
                     in string user_password,
                     in UserAuthData user_data
                );
                void logoff();

                 void build_auth_data(
                     in string user_name,
                     in string client_name,
                     in string system_password,
                     in string user_password,
                     in UserAuthData user_data,
                     out Security::Opaque auth_data,
                     out Security::AttributeList privileges
              );
        };
};

Data Type	Definition
Time ulonglong	OMG IDL does not at present have a native type representing an unsigned 64-bit integer. The adoption of technology submitted against that RFP will provide a means for defining a native type representing unsigned 64-bit integers in OMG IDL. Pending the adoption of that technology, you can use this structure to represent unsigned 64-bit integers, understanding that when a native type becomes available, it may not be interoperable with this declaration on all platforms. This definition is for the interim, and is meant to be removed when the native unsigned 64-bit integer type becomes available in OMG IDL.
Time TimeT	TimeT represents a single time value, which is 64-bit in size, and holds the number of 100 nanoseconds that have passed since the base time. For absolute time, the base is 15 October 1582 00:00.
Time TdfT	TdfT is of size 16 bits short type and holds the time displacement factor in the form of seconds of displacement from the Greenwich Meridian. Displacements east of the meridian are positive, while those to the west are negative.
Time UtcT	UtcT defines the structure of the time value that is used universally in the service. When the UtcT structure is holding, a relative or absolute time is determined by its history. There is no explicit flag within the object holding that state information. The inacclo and inacchi fields together hold a value of type InaccuracyT packed into 48 bits. The tdf field holds time zone information. Implementation must place the time displacement factor for the local time zone in this field whenever it creates a Universal Time Object (UTO). The content of this structure is intended to be opaque; to be able to marshal it correctly, the types of fields need to be identified.

Data Type	Definition
sequence<octet>	Data whose representation is known only to the Security Service implementation.