'Re: [JBoss-user] IIOP ans Security'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       jboss-user
Subject:    Re: [JBoss-user] IIOP ans Security
From:       Francisco Reverbel <reverbel () ime ! usp ! br>
Date:       2003-08-29 16:04:21
[Download RAW message or body]

Interoperable security for EJB invocations is not implemented 
yet. JBoss has security, of course, but not in an interoperable 
(CORBA-compliant) way.

The CORBA compliant way of securing EJB invocations is based
on CSIv2 (Common Secure Interoperability version 2), an OMG 
specification that our IIOP engine (JacORB) will support very 
soon. This will make it easy for us to secure EJB invocations
over IIOP. As Bill said, we are planing to do this for J2EE 
certification.

Note, however, that you will need CSIv2 support also at the 
client-side. Not all C++ ORBs support CSIv2. (I know MICO does
it, other C++ ORBs might support CSIv2 as well.)

Cheers,

Francisco


On Fri, 29 Aug 2003, Bill Burke wrote:

> We don't have this interoperability with CORBA and security at this 
> time.  It is one of the things we are planning to implement once Sun 
> grants us the license to certification (we're waiting patiently).
> 
> You would have to build a bridge until then.  Or you could fund 
> Francisco Reverbel to implement it through a JBG support contract.
> 
> I'll let Francisco chime in with more details.
> 
> Bill
> 
> Alexander Titov wrote:
> 
> > Hello.
> > 
> > In the section 8 (page 412-413) of the JBoss Administration and
> > Development Third Edition (3.2.x Series) book it is written, that
> > "Every secured EJB method invocation,... requires the authentication
> > and authorization of the caller because security information is
> > handled as a stateless attribute of the request that must be presented
> > and validated on each request". Each client-server "invocation
> > includes the method arguments passed by the client along with the user
> > identity and credentials from the client-side JAAS login performed..."
> > earlier.
> > 
> > Does it mean that JBoss RMI implementation is proprietary? Where it is
> > possible to read about this implementation details?
> > 
> > My problem is the following - I have CORBA client, which should make
> > EJB calls to JBoss container. Definitely I have to secure these
> > invocations. How should I pack the security information? Is there any
> > samples of such interoperability?
> > 
> 
> -- 
> ================
> Bill Burke
> Chief Architect
> JBoss Group LLC.
> ================
> 
> 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic