[omniORB] Access control

Renzo Tomaselli renzo.tomaselli@tecnotp.it
Thu Dec 5 18:23:01 2002


Gustavo,
    we planned to add full security to our working platform based on
OmniORB. Because of practical reasons, we didn't even consider the Security
COSS (too complex and convoluted).
Basically, we want to provide authentication/authorization features so that
Sesame appeared the best candidate to borrow ideas from (Kerberos deals with
authentication only). Authentication by the public key version of
Needham-Schroeder, authorization by role-bound privileges to be added to
ticket contexts. The overall layout must be based on PK technology.
Things are even more complicated by partial overlapping between IDL and
ASN.1, so that a mixed approach seems the best. We prefer to design private
things such as tickets in IDL, while certificate management must stay on the
ASN.1 side, just to avoid rehinventing the wheel.
The overall design must heavily rely on OmniORB 4.0 interceptors (for
tickets) and transports (for encryption).
We already use a database pair to support the infrastructure: a registry for
configuration/administration purposes (in place of the naming service, quite
insufficient for our goals), and a security db for keeping users,
hierarchical roles, and an ISO-style symbol library.
Encryption is the missing feature - we planned to add it as soon as we move
to 4.0.

Renzo Tomaselli

----- Original Message -----
From: "Gustavo Niemeyer" <niemeyer@conectiva.com>
To: <omniorb-list@omniorb-support.com>
Sent: Thursday, December 05, 2002 4:01 PM
Subject: Re: [omniORB] Access control


> > I belive that many systems out there do that, so I'd like to avoid
> > reiventing the wheel, and perhaps going through the same errors
> > all over again.
>
> Perhaps I'm just plain wrong, and nobody currently uses omniORB for
> anything else than public services, without access control?
>
> --
> Gustavo Niemeyer
>
> [ 2AAC 7928 0FBF 0299 5EB5  60E2 2253 B29A 6664 3A0C ]
> _______________________________________________
> omniORB-list mailing list
> omniORB-list@omniorb-support.com
> http://www.omniorb-support.com/mailman/listinfo/omniorb-list