AUTHOR NOTE: Oops! Putting this line in server.policy causes server to fail to start!!
CORBA objects include Java RMI-IIOP and Java IDL or POA-based CORBA objects, excluding EJB modules. By default, authentication is not required for CORBA objects.
To secure CORBA objects:
Once authentication is turned on, all clients will need to authenticate by supplying a user name and password (if using basic authentication) or a certificate (if using SSL mutual authentication).
To turn on authorization for CORBA objects, specify the appropriate security policy in the server’s security configuration file, install_dir/domains/
domain_name/config/server.policy
By default, all users are allowed to access all non-EJB CORBA objects in the server, as specified by the following default grant block:
grant { permission com.sun.enterprise.security.CORBAObjectPermission
“*”, “*”; }
CORBAObjectPermission
is a special Java Permission class that controls which users are allowed to access non-EJB CORBA objects in the server. CORBAObjectPermission
takes two parameters:
*
” is supported, that is, it is not possible to specify a specific CORBA object name.*
” is supported, that is, it is not possible to specify a specific method name.
The general form of a CORBAObjectPermission
grant block is:
grant principal principal-class-name “principal-name” { permission
com.sun.enterprise.security.CORBAObjectPermission “*”, “*”; }
where the principal-class-name is either:
com.sun.enterprise.deployment.PrincipalImpl
(for a single principal)com.sun.enterprise.deployment.Group
(for a named group of principals)Integrity and confidentiality of IIOP messages used in requests and replies during CORBA invocations can be protected by using SSL. By default, the server supports both plain IIOP and IIOP-over-SSL invocations.
iiop-listener
elements in the iiop-service
element in domain.xml
.This ensures that the server will not service plain IIOP invocations. By default, application clients use plain IIOP for making requests if the server supports plain IIOP.
sun-acc.xml
(which is also located in the domain’s config
directory); specifically, the property ssl
with value required
should be added inside the <client-container>
element, as follows:
<client-container>
<property name=”ssl” value=”required”/>
<target-server .... />
</client-container>