You can install your own component that performs access control based on role membership. The component must implement the CtsSecurity::RoleService IDL interface. Your custom role service evaluates user membership in EAServer roles, so authorization in your application is still dependent on the role names associated with a package, component, method, or Web resource collection. Using a role service eliminates the need to define role memberships in EAServer Manager. For example, you might code your component to retrieve role membership information from a database.
The role service must be a stateless component that implements the CtsSecurity::RoleService IDL interface:
interface RoleService {
boolean isMember(
in CtsSecurity::SessionInfo sessionInfo,
in string role);
};
isMember checks if the authenticated client is a member of the role. The client’s credentials are obtained from sessionInfo. The server first checks if the role is defined in the repository. If the role is defined, then membership checks are performed. If the role is not defined, the server assumes that the user is not a member of the role, and the role service is invoked. The result from this method is cached by the server, where it can be referenced for the same client/role combination, provided the internal cache has the relevant information.
For more information, see the generated CtsSecurity::RoleService IDL interface documentation.
Use EAServer Manager to enable the role service. You can write
an implementation of the RoleService interface
and configure a server-level role service by setting the com.sybase.jaguar.server.roleservice property to
the URL that accesses the component that implements this interface.
Set this property using the Advanced tab of the Server Properties
window.
There are two accepted forms for the URL:
You can set the URL to the EAServerPackage/EAServerComponent if the component is a Java CORBA, C++ CORBA, stateless COM or PowerBuilder NVO. The component must be installed in the server.
For example, to set the role check service, set the server-level
property to com.sybase.jaguar.server.roleservice=Security/RoleService where Security is
the name of the package that contains the RoleService component
that implements the RoleService interface.
You can access Java CORBA and C++ CORBA components using the pseudocomponent object URL. The syntax for a Java pseudocomponent is:
pseudo://java/JavaClass/EAServerPackage/EAServerComponent
The syntax for a C++ pseudocomponent is:
pseudo://cpp/SharedLibraryName/EAServerPackage/EAServerComponent
You can also set the authorization service property to the pseudocomponent object URL. For example, you can set the server-level authorization service to:
pseudo://cpp/libAuthorize/Security/RoleService
where libAuthorize is the name of the shared library that contains the C++ Security/RoleService component’s implementation.
Components implemented for pseudocomponent access must be thread-safe. Pseudocomponents cannot be refreshed. You must restart the server to refresh the role service component.
For more information on pseudocomponents, refer to Chapter 34, “Creating and Using EAServer Pseudocomponents,” in the EAServer Programmer’s Guide.
| Copyright © 2005. Sybase Inc. All rights reserved. |
|
|