1 Reply Latest reply on Jun 11, 2004 10:34 AM by Scott Stark

    IIOP and Security (a follow-up)

    Eugene Ivanov Newbie

      Is there any update on when CSIv2 will be supported in JBoss ?
      It seems that JacORB 2.1 already supports it.

      Eugene Ivanov

      --------------ORIGINAL THREAD ----------------

      On Fri, 29 Aug 2003, Francisco Reverbel wrote:

      Interoperable security for EJB invocations is not implemented
      yet. JBoss has security, of course, but not in an interoperable
      (CORBA-compliant) way.

      The CORBA compliant way of securing EJB invocations is based
      on CSIv2 (Common Secure Interoperability version 2), an OMG
      specification that our IIOP engine (JacORB) will support very
      soon. This will make it easy for us to secure EJB invocations
      over IIOP. As Bill said, we are planing to do this for J2EE

      Note, however, that you will need CSIv2 support also at the
      client-side. Not all C++ ORBs support CSIv2. (I know MICO does
      it, other C++ ORBs might support CSIv2 as well.)



      On Fri, 29 Aug 2003, Bill Burke wrote:

      > We don"t have this interoperability with CORBA and security at this
      > time. It is one of the things we are planning to implement once Sun
      > grants us the lice! nse to certification (we"re waiting patiently).
      > You would have to build a bridge until then. Or you could fund
      > Francisco Reverbel to implement it through a JBG support contract.
      > I"ll let Francisco chime in with more details.
      > Bill
      > Alexander Titov wrote:
      > > Hello.
      > >
      > > In the section 8 (page 412-413) of the JBoss Administration and
      > > Development Third Edition (3.2.x Series) book it is written, that
      > > "Every secured EJB method invocation,... requires the authentication
      > > and authorization of the caller because security information is
      > > handled as a stateless attribute of the request that must be presented
      > > and validated on each request". Each client-server "invocation
      > > includes the method arguments passed by the client along with the user
      > > identity and credentials! from the client-side JAAS login performed..."
      > > earlier.
      > >
      > > Does it mean that JBoss RMI implementation is proprietary? Where it is
      > > possible to read about this implementation details?
      > >
      > > My problem is the following - I have CORBA client, which should make
      > > EJB calls to JBoss container. Definitely I have to secure these
      > > invocations. How should I pack the security information? Is there any
      > > samples of such interoperability?
      > >
      > --
      > ================
      > Bill Burke
      > Chief Architect
      > JBoss Group LLC.
      > ================