Anders Hessellund Jensen wrote:
Rick McGuire wrote:
Well, Yoko will need to some hooks/plugins/callbacks that will allow
the OpenEJB code to interact with the ORB transport-level security.
The touch points that are used in the other ORB implementations are:
Server-connections:
1. Mechanism to configure the ORB listening socket to use a secure
connection.
2. A socket-factory like mechanism that will allow Geronimo to use
its own mechanisms for creating and configuring the ServerSocket.
3. An callback or interceptor that allows the OpenEJB security
manager to maintain mappings of requests to the SSLSessions used
to service the requests (if a secure transport is being used).
Client Connections:
1. Mechanism to allow Geronimo to make the decision what type of
connection is used for a given IOR (access to the target IOR is
required).
2. A socket-factory like mechanism to allow Geronimo to create and
configure the socket as needed.
For 3, each POA apparently has an org.apache.yoko.orb.OCI.Current,
which apparently can be used to get the currently used transport by
looking it up in a HashMap with threads as keys. I haven't noticed any
way this object is exposed to clients, but every POA has a reference
to it. Perhaps we could add a getCurrentTransport method somewhere
appropriate. If we do that an interceptor could be used to maintain
the mapping, just like its done with the sunorb.
I think we are going to have to write a custom OCI plugin to handle
the rest. Otherwise we would have to modify the existing IIOP plugin
significantly, which I think would become a mess.
Speaking with my Geronimo hat on, I'd have to say that requiring a
custom OCI plugin get written is not an acceptable solution. Adding the
appropriate hooks is not that big of a change to the IIOP code....I had
support for a plugin-to-the-plugin roughed out in just a day that met
all of the Geronimo requirements I stated above. I shelved this
solution pending checking of the secure transport code you said you were
working one.
Geronimo is banking a lot on being able to use Yoko in the next release,
assuming it would not be difficult to hook it in as a replacement for
the Sun ORB. Requiring a complete IIOP OCI plugin to be written will
most likely not allow that goal to be achieved.
Best regards,
Anders
