[JBoss-user] IIOP ans Security
Tuesday, September 2, 2003 07:54:25 Thank you for clarification. I'll try to find another solution :) -- Best regards, Alexander On Fri, 29 Aug 2003 13:04:21 -0300 (EST), you wrote: FR Interoperable security for EJB invocations is not implemented FR yet. JBoss has security, of course, but not in an interoperable FR (CORBA-compliant) way. FR The CORBA compliant way of securing EJB invocations is based FR on CSIv2 (Common Secure Interoperability version 2), an OMG FR specification that our IIOP engine (JacORB) will support very FR soon. This will make it easy for us to secure EJB invocations FR over IIOP. As Bill said, we are planing to do this for J2EE FR certification. FR Note, however, that you will need CSIv2 support also at the FR client-side. Not all C++ ORBs support CSIv2. (I know MICO does FR it, other C++ ORBs might support CSIv2 as well.) FR Cheers, FR Francisco FR On Fri, 29 Aug 2003, Bill Burke wrote: We don't have this interoperability with CORBA and security at this time. It is one of the things we are planning to implement once Sun grants us the license to certification (we're waiting patiently). You would have to build a bridge until then. Or you could fund Francisco Reverbel to implement it through a JBG support contract. I'll let Francisco chime in with more details. Bill Alexander Titov wrote: Hello. In the section 8 (page 412-413) of the JBoss Administration and Development Third Edition (3.2.x Series) book it is written, that Every secured EJB method invocation,... requires the authentication and authorization of the caller because security information is handled as a stateless attribute of the request that must be presented and validated on each request. Each client-server invocation includes the method arguments passed by the client along with the user identity and credentials from the client-side JAAS login performed... earlier. Does it mean that JBoss RMI implementation is proprietary? Where it is possible to read about this implementation details? My problem is the following - I have CORBA client, which should make EJB calls to JBoss container. Definitely I have to secure these invocations. How should I pack the security information? Is there any samples of such interoperability? -- Bill Burke Chief Architect JBoss Group LLC. FR --- FR This sf.net email is sponsored by:ThinkGeek FR Welcome to geek heaven. FR http://thinkgeek.com/sf FR ___ FR JBoss-user mailing list FR [EMAIL PROTECTED] FR https://lists.sourceforge.net/lists/listinfo/jboss-user --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] IIOP ans Security
Hello. In the section 8 (page 412-413) of the JBoss Administration and Development Third Edition (3.2.x Series) book it is written, that Every secured EJB method invocation,... requires the authentication and authorization of the caller because security information is handled as a stateless attribute of the request that must be presented and validated on each request. Each client-server invocation includes the method arguments passed by the client along with the user identity and credentials from the client-side JAAS login performed... earlier. Does it mean that JBoss RMI implementation is proprietary? Where it is possible to read about this implementation details? My problem is the following - I have CORBA client, which should make EJB calls to JBoss container. Definitely I have to secure these invocations. How should I pack the security information? Is there any samples of such interoperability? -- Best regards, Alexander --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] IIOP ans Security
We don't have this interoperability with CORBA and security at this time. It is one of the things we are planning to implement once Sun grants us the license to certification (we're waiting patiently). You would have to build a bridge until then. Or you could fund Francisco Reverbel to implement it through a JBG support contract. I'll let Francisco chime in with more details. Bill Alexander Titov wrote: Hello. In the section 8 (page 412-413) of the JBoss Administration and Development Third Edition (3.2.x Series) book it is written, that Every secured EJB method invocation,... requires the authentication and authorization of the caller because security information is handled as a stateless attribute of the request that must be presented and validated on each request. Each client-server invocation includes the method arguments passed by the client along with the user identity and credentials from the client-side JAAS login performed... earlier. Does it mean that JBoss RMI implementation is proprietary? Where it is possible to read about this implementation details? My problem is the following - I have CORBA client, which should make EJB calls to JBoss container. Definitely I have to secure these invocations. How should I pack the security information? Is there any samples of such interoperability? -- Bill Burke Chief Architect JBoss Group LLC. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] IIOP ans Security
Interoperable security for EJB invocations is not implemented yet. JBoss has security, of course, but not in an interoperable (CORBA-compliant) way. The CORBA compliant way of securing EJB invocations is based on CSIv2 (Common Secure Interoperability version 2), an OMG specification that our IIOP engine (JacORB) will support very soon. This will make it easy for us to secure EJB invocations over IIOP. As Bill said, we are planing to do this for J2EE certification. Note, however, that you will need CSIv2 support also at the client-side. Not all C++ ORBs support CSIv2. (I know MICO does it, other C++ ORBs might support CSIv2 as well.) Cheers, Francisco On Fri, 29 Aug 2003, Bill Burke wrote: We don't have this interoperability with CORBA and security at this time. It is one of the things we are planning to implement once Sun grants us the license to certification (we're waiting patiently). You would have to build a bridge until then. Or you could fund Francisco Reverbel to implement it through a JBG support contract. I'll let Francisco chime in with more details. Bill Alexander Titov wrote: Hello. In the section 8 (page 412-413) of the JBoss Administration and Development Third Edition (3.2.x Series) book it is written, that Every secured EJB method invocation,... requires the authentication and authorization of the caller because security information is handled as a stateless attribute of the request that must be presented and validated on each request. Each client-server invocation includes the method arguments passed by the client along with the user identity and credentials from the client-side JAAS login performed... earlier. Does it mean that JBoss RMI implementation is proprietary? Where it is possible to read about this implementation details? My problem is the following - I have CORBA client, which should make EJB calls to JBoss container. Definitely I have to secure these invocations. How should I pack the security information? Is there any samples of such interoperability? -- Bill Burke Chief Architect JBoss Group LLC. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user