[jboss-jira] [JBoss JIRA] Commented: (JBAS-8169) Make default values of org.jboss.metadata.IorSecurityConfigMetaData configurable

Fri Jul 16 06:21:11 EDT 2010

    [ https://jira.jboss.org/browse/JBAS-8169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12539586#action_12539586 ] 

Colin Mondesir commented on JBAS-8169:
--------------------------------------

If we want to make a service accessible through CORBA
1) We create a standard EJB service using a standard invoker (not IIOP, no IOR Security config).
2) We create the public interfaces accessible through CORBA in an independent IDL file
3) We create the necessary java objects using IDLJ plug-in.
4) We implement the servant by extending the POA object generated by IDLJ (This servant object will then make (relay) a CORBA IIOP call to a standard EJB)
5) We add a listener to our EJB application that will register this CORBA object at deployment using the following schema.

// initialisation
InitialContext ctx = new InitialContext();
NamingContextExt rootNC = (NamingContextExt)ctx.lookup("java:JBossCorbaNaming");
POA poa = (POA) ctx.lookup("java:JBossCorbaPOA");
ORB orb = (ORB)ctx.lookup("java:JBossCorbaORB");

// using reflexion, we create a IorSecurityConfigMetaData with our custom realm
IorSecurityConfigMetaData data = new IorSecurityConfigMetaData();
Class asConfigClass = data.getAsContext().getClass();
Class sasConfigClass = data.getSasContext().getClass();
Field realm = asConfigClass.getDeclaredField("realm");
realm.setAccessible(true);
realm.set(data.getAsContext(),"weblogicDEFAULT");
Field propagation = sasConfigClass.getDeclaredField("callerPropagation");
propagation.setAccessible(true);
propagation.set(data.getSasContext(),"SUPPORTED");

Any secPolicy = orb.create_any();
secPolicy.insert_Value(data);
Policy csiv2Policy = orb.create_policy(CSIv2Policy.TYPE, secPolicy);
Policy[] policies = new Policy[]{csiv2Policy};

poa.the_POAManager().activate();

// Create a secure child POA
POA childPOA = null;
try{
 childPOA = poa.find_POA("csiv2POA",true);
}catch(org.omg.PortableServer.POAPackage.AdapterNonExistent e){
 logger.info("csiv2POA do not exist => Beeing created");
 childPOA = poa.create_POA("csiv2POA", poa.the_POAManager(), policies);
}

// register the servant in the secure POA and activate it
childPOA.activate_object(servant);
childPOA.the_POAManager().activate();

// add the service in the naming directory
org.omg.CORBA.Object o = childPOA.servant_to_reference(servant);
createContext(nsPath, rootNC);
rootNC.rebind(rootNC.to_name(nsPath), o);

As you can see, the way we register CORBA objects do not allow us to use the IOR configuration available in the deployment descriptor. The code presented before allows us to register CORBA services with our custom realm and to change the callerPropagation setting.

Nevertheless, we would like to avoid reflexion. We propose you to either give the possibility to set these values through a configuration XML file or by making the constructor of IorSecurityConfigMetaData to public.

Furthermore, we remarked that the CSIV2 security settings are not propagated to the EJB in this configuration although the CSIV2 security context is correctly intercepted by org.jboss.iiop.csiv2.SASTargetInterceptor .
Why don't you populate the SecurityAssocation variable with these intercepted values?
If this is a desired feature, how can we access to the CSIV2 security context in our CORBA servant in order to forward them to the EJB.

It is realy important for us to be able to use this architecture to register CORBA services and that the security context is correctly propagated.

> Make default values of org.jboss.metadata.IorSecurityConfigMetaData configurable
> --------------------------------------------------------------------------------
>
>                 Key: JBAS-8169
>                 URL: https://jira.jboss.org/browse/JBAS-8169
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: IIOP service
>    Affects Versions: JBossAS-4.2.2.GA, JBossAS-5.1.0.GA, 6.0.0.M3
>            Reporter: Dimitris Andreadis
>            Assignee: Stefan Guilhen
>
> User wants to allow the configuration of all IOR default parameters that are hard coded in org.jboss.metadata.IorSecurityConfigMetaData ([SasContext : callerPropagation] and [AsContext : authMethod, realm, required] and [TransportConfig : integrity, confidentiality, detectMisordering, detectReplay, establishTrustInTarget, establishTrustInClient]).
> Mostly they want to be able to configure [AsContext : realm] and [SasContext : callerPropagation]

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira