Chapter 8 Creating Authentication, Role, and Authorization Service Components

Using a custom role service

You can install your own component that performs access control based on role membership. The component must implement the CtsSecurity::RoleService IDL interface. Your custom role service evaluates user membership in EAServer roles, so authorization in your application is still dependent on the role names associated with a package, component, method, or Web resource collection. Using a role service eliminates the need to define role memberships in Jaguar Manager. For example, you might code your component to retrieve role membership information from a database.

Creating a role service

The role service must be a stateless component that implements the CtsSecurity::RoleService IDL interface:

                    interface RoleService {
                         boolean isMember(
                              in CtsSecurity::SessionInfo sessionInfo,
                              in string role); 
                     };

isMember checks if the authenticated client is a member of the role. The client's credentials are obtained from sessionInfo. The server first checks if the role is defined in the repository. If the role is defined, then membership checks are performed. If the role is not defined, the server assumes that the user is not a member of the role, and the role service is invoked. The result from this method is cached by the server, where it can be referenced for the same client/role combination, provided the internal cache has the relevant information.

For more information, see the generated CtsSecurity::RoleService IDL interface documentation.

Installing the role service

Use Jaguar Manager to enable the role service. You can write an implementation of the RoleService interface and configure a server-level role service by setting the com.sybase.jaguar.server.roleservice property to the URL that accesses the component that implements this interface. Set this property using the All Properties tab of the Server Properties window.

There are two accepted forms for the URL:

• You can set the URL to the EAServerPackage/EAServerComponent if the component is a Java CORBA, C++ CORBA, stateless COM or PowerBuilder NVO. The component must be installed in the server.
  
  For example, to set the role check service, set the server-level property to com.sybase.jaguar.server.roleservice =Security/RoleService where Security is the name of the package that contains the RoleService component that implements the RoleService interface.
• You can access Java CORBA and C++ CORBA components using the pseudocomponent object URL. The syntax for a Java pseudocomponent is:
  
  

  pseudo://java/JavaClass/EAServerPackage/EAServerComponent
  

  
  
  The syntax for a C++ pseudocomponent is:
  
  

  pseudo://cpp/SharedLibraryName/EAServerPackage/EAServerComponent
  

  
  
  You can also set the authorization service property to the pseudocomponent object URL. For example, you can set the server-level authorization service to:
  
  

   pseudo://cpp/libAuthorize/Security/RoleService 
  

  
  
  where libAuthorize is the name of the shared library that contains the C++ Security/RoleService component's implementation.
  
  Components implemented for pseudocomponent access must be thread-safe. Pseudocomponents cannot be refreshed. You must restart the server to refresh the role service component.
  
  For more information on pseudocomponents, refer to "Creating and Using EAServer Pseudocomponents" in the EAServer Programmer's Guide.

Copyright © 2002 Sybase, Inc. All rights reserved.