Authorization is the process of verifying that the user has the authority to perform the requested operations on the server. For example, when a client accesses an enterprise bean method the server must verify that the user of the client has the authority to perform such an access. Authorization occurs after authentication (confirming the user's identity).
The class RolePermission is defined to represent “role” as permission. The Authorization Services Provider in turn provides the implementation on the homogeneous collection of
RolePermissions contained for an association between given privileges and a particular resource.
A role entry is made up of a role name and a list of rules within curly braces (“{}”). A role must be made up of one or more rules. Each rule is a single line containing a list of comma-separated
assertions for proper access identifications. Similarly, each rule must contain one or more assertions.
Each line in the Role Entry is a rule. Rules are read top-to-bottom, and authorization proceeds until one or none succeeds. That is, each rule is read as though separated by an “OR” operator.
Assertions are separated on the same line by a comma (“,”). Assertions are read left-to-right, and all assertions must succeed in order for the rule to succeed. That is, each assertions in a rule is read as though separated by an “AND” operator.
This defines two roles, ServerAdministrator and
Customer along with a set of rules and attributes which define them.
A value can be any string, but the wildcard character, “*” has special uses. For example, the attribute/value pair
GROUP=* matches for all GROUPs. The following role has two associated rules:
The role manager has two rules associated with it. In the first rule, anyone named Kitty is authorized for
manager, regardless of Kitty's associated group at the time. The second rule authorizes anyone in the group
SalesForce1, regardless of their common-name (
CN).
You make a wildcard assertion by placing the wildcard character (“*”) in front of the assertion(s) in one of two ways. You may place the wildcard character in front of a single assertion, meaning that all possible security attributes are accepted but they must contain the single assertion. Or, you may place the wildcard character in front of a list of assertions separated by commas within parentheses. This means all possible security attributes are accepted but they
must contain the assertions listed in the parentheses.
Each role provides limited extensibility to others. You may, as a part of a role entry, specify a role=existing-role-name assertion that can extend an earlier role. You can also use customized code as your authorization mechanism rather than Role DB syntax by using the Authorization Provider Interface.
You can refer to the rules from an existing role by using the rule-reference assertion—role=role-name. For example, let's say we have a group of marketers who are also sales supervisors that need to be authorized to the same code as Sales Supervisors. Building upon the
SalesSupervisor code sample, we can create a new role entry as follows:
During the initialization of the ORB itself, the authorization domain is defined by the property vbroker.security.authDomains. Each Role DB file is associated with an
authorization domain. An authorization domain is a security context that is used to separate role DBs and hence their authorization permissions. For more information on the authorization domain in the context of the basic security model, see
“Basic security model”.
The path of the Role DB file is associated with the authorization domain <domain-name>. Although this can be a relative path, Micro Focus recommends you make this path fully-qualified.
A Run-as Alias is a string identifying an authentication identity. It is defined in the vault and scoped within the VisiBroker ORB. This alias then represents a particular user. The identity is mapped to the alias using either the Context APIs or by defining it in the vault. The vault can contain a list of run-as aliases and the corresponding authenticating credentials for the identity to run-as. In both cases, the authenticating credentials (from the vault or wallet) are passed to the LoginModules, which authenticate those credentials and set them as fully authenticated identities corresponding to those credentials in the run-as map.
This interface returns the authorization domain from the domain() method and uses it to set the access manager in the
ServerQopConfig object. The domain specifies the name of the authorization domain associated with the proper rolemap. You set the location and name of the rolemap by setting the property:
where <authorization-domain-name> is a tautology, and
<rolemap-path> is a relative path to the rolemap file.
The getAccessPolicy() method takes an instance of the servant, the object identity, and the adapter identity and returns an implementation of the
ObjectAccessPolicy interface.
The getRequiredRoles() method takes a method name as its argument and returns a sequence of roles. The
getRunAsRole() method returns a run-as role, if any, for accessing the method.
In the corbaauthz example in the <install_dir>\examples\vbroker\security folder, the authorization requirement for the BankManager object is that the clients should be a member of the "Manager" role and for the Account it is "Customer" or "Teller" role.
Any authenticated user with username=Administrator is a member of the role ‘Manager’.
Any authenticated user with group=cceng is a member of both role ‘Customer’ and role ‘Teller’.
In the java server properties file, add the following properties:
In the Bank.idl file, make the following changes:
In the AccountImpl.java file, modify as shown in bold below.
In the server.java file, to write the AccountManager’s reference to a file for the client to access, add the following commands:
Add a new file ConverterServer.java. This file is the same
server.java file that is in the corba authz example. Add the following that is given in bold:
Setting the vbroker.security.domain.<domain-name>.runas.<role-name> property effectively maps an alias to a bean's run-as role. Upon successful authorization, but before method invocation, the container checks the Run-as role specified in the EJB's deployment descriptor for the called method. If a run-as role exists, the container checks to see if there is an alias as well. If there is, when the bean makes an outgoing invocation it switches to the identity for that alias.
Similar to the vault are other properties which only belong to the orb.properties file. These include secure listener ports, thread monitoring, and so forth.
In addition to ensuring the confidentiality and integrity of transmitted messages, you need to communicate caller identity and authentication information between clients and servers. This is called delegation. The caller identity also needs to be maintained in the presence of multiple tiers in an invocation path. This is because a single call to a mid-tier system may result in further calls being invoked on other systems which must be executed based on the privileges attributed to the original caller.
In a distributed environment, it is common for a mid-tier server to make identity assertions and act on behalf of the caller. The end-tier server must make decision on whether the assertion is trusted or not. When propagating context, the client transfers the following information:
Identity assertion occurs when several servers with secure components are involved in a client request. At times, it is necessary for a server to act on behalf of its clients—when a client request is passed from one server to another. This is typical in the case where a client calls a mid-tier server, and the server further needs to call an end-tier server to perform a part of the service requested by the client. At such times, the mid-tier server typically needs to act on behalf of the client. In other words, it needs to let the end-tier server know that while it (the mid-tier server) is communicating with the end-tier server, access control decisions must be based on the original caller's privileges and not its privileges.
Impersonation is the form of identity assertion where there is no restriction on what resources the mid-tier server can access on the end-tier server. The mid-tier server can perform any task on behalf of the client.
The inverse of impersonation, delegation is the form of identity assertion where the client explicitly delegates certain privileges to the server. In this case, the server is allowed to perform only certain actions as dictated by the client. VisiSecure performs only simple delegation.
The identity assertion example in the \\VisiBroker\examples\vbroker\security\assertion example folder illustrates the use of identity assertion APIs which can be used to explicitly assert an identity as caller.
The exception CORBA::NO_PERMISSION is thrown because only the asserted identity is authorized to make the invocation under the server configuration.
|
|
|
|
|
If set to true, at initialization time this property tries to log on to all realms listed by property vbroker.security.login.realms.
|
|
|
|
none—Authentication is not required. During handshake, no certificate request will be sent to the peer. Regardless of whether the peer has certificates, a connection will be accepted. There will be no transport identity for the peer.
|
|
This property is used to specify a list of trusted roles (specify with the format <role>@<authorization_domain>). < n> is uniquely identified for each trust assertion rule as a list of digits.
For example, setting vbroker.security.assertions.trust.1=ServerAdmin@default means this process trusts any assertion made by the ServerAdmin role in the default authorization domain.
|
|
|
|
|
Backward trust is provided “out of the box”, and is the form of trust where the server has rules to decide who it trusts to perform assertions. With backward trust, the client has no say whether the mid-tier server has the privilege to act on its behalf.
Forward trust is similar to delegation in that the client explicitly provides certain mid-tier servers the privilege to act on its behalf.