Notes: This chapter describes how to use authentication. For a complete description of all the security features available in the CORBA security environment and instructions for implementing the features, see Using Security in CORBA Applications in the Oracle Tuxedo online documentation.In addition to the TOBJ_SYSAUTH information, the client application must provide application-specific information. If the default Oracle Tuxedo CORBA authentication service is used in the application configuration, the client application must provide a user password; otherwise, the client application provides authentication data that is interpreted by the custom authentication service in the application.
Note: If a client application is not authenticated and the security level is TOBJ_NOAUTH, the IIOP Listener/Handler of the Oracle Tuxedo domain registers the client application with the username and client application name sent to the IIOP Listener/Handler.In the Oracle Tuxedo CORBA security environment, only the PrincipalAuthenticator and Credentials properties on the SecurityCurrent object are supported. For a description of the SecurityLevel1::Current and SecurityLevel2::Current interfaces, see the CORBA Programming Reference in the Oracle Tuxedo online documentation.Figure 4‑1 illustrates how CORBA security works in a Oracle Tuxedo domain.
3. The client application uses the Tobj::PrincipalAuthenticator::get_auth_type() method to get the authentication level for the Oracle Tuxedo domain.
5. The client application uses the Tobj::PrincipalAuthenticator::logon() method to log on to the Oracle Tuxedo domain with the proper authentication information.
Note:
• The client application has a logon() operation. This operation invokes operations on the PrincipalAuthenticator object, which is obtained as part of the process of logging on to access the domain.
• The server application implements a get_student_details() operation on the Registrar object to return information about a student. After the user is authenticated, logon is complete and the get_student_details() operation accesses the student information in the database to obtain the student information needed by the client logon operation.Figure 4‑2 illustrates the Security sample application.Figure 4‑2 Security Sample ApplicationThe source files for the Security sample application are located in the \samples\corba\university directory in the Oracle Tuxedo software. For information about building and running the Security sample application, see Using Security in CORBA Applications in the Oracle Tuxedo online documentation.Table 4‑1 lists the development steps for writing a Oracle Tuxedo CORBA application that employs authentication security.
The security level for a Oracle Tuxedo domain is defined by setting the SECURITY parameter in the RESOURCES section of the configuration file to the desired security level. Table 4‑2 lists the options for the SECURITY parameter.
Table 4‑2 Options for the SECURITY Parameter No security is implemented in the domain. This option is the default. This option maps to the TOBJ_NOAUTH level of authentication. Requires that client applications provide an application password during initialization. The tmloadcf command prompts for an application password. This option maps to the TOBJ_SYSAUTH level of authentication. Requires an application password and performs a per-user authentication during the initialization of the client application. This option maps to the TOBJ_APPAUTH level of authentication.In the Security sample application, the SECURITY parameter is set to APP_PW for application-level security. For information about adding security to a Oracle Tuxedo CORBA application, see Using Security in CORBA Applications in the Oracle Tuxedo online documentation.
3. Uses the get_auth_type() operation of the PrincipalAuthenticator object to return the type of authentication expected by the Oracle Tuxedo domain.Listing 4‑1 include the portions of the CORBA C++ client applications in the Security sample application that illustrate the development steps for security.