Chapter 1 Introducing Jaguar CTS
Jaguar CTS provides built-in support for user authentication and authorization. Users are authenticated when a client application creates a proxy or stub object (a connection is made when the application creates the first proxy or stub; other proxies or stubs may use the same connections or allocate new connections as needed). Each component has access control lists that determine which users are allowed to invoke the component; if a user is not authorized to use a component, attempts to create stubs or proxies with that user name fail.
Options for user authentication include:
Jaguar provides a special user name, jagadmin, for the Jaguar Administrator login. Administrator authentication is performed independently of the authentication option you configure. By default, the "jagadmin" user name has no password.
See "Security Configuration" in the Jaguar CTS System Administration Guide for more information on configuring authentication options.
Set the administrator password for new servers Immediately after you create a new server, you must secure access to the server by defining the jagadmin password and configuring the authentication mechanism of your choice. See "Security Configuration" in the Jaguar CTS System Administration Guide for more information.
User-Installed authentication services You can install your own service component to authenticate clients for any Jaguar server. For example, if you require the client user name to match a remote database user name, you can code the component to retrieve the client user name and password and attempt to login to the remote database.
The component must implement the CtsSecurity::AuthService IDL interface as well as the CtsServices::GenericService interface, and you must set the com.sybase.jaguar.server.authservice server property to specify the name of your component (this property must be set using the All Properties tab in the Server Properties dialog box).
This interface contains one method, checkSession. Your code for this method can check the client's user name and password and the status of other authentication checks, that is, whether the client's credentials have passed OS authentication or SSL authentication checks. Your code can perform additional authentication checks and auditing. For more information, see the documentation for the CtsSecurity::AuthService IDL interface.
A sample Java implementation is provided in the Jaguar html/classes/Sample/AuthServiceDemo directory in your Jaguar installation. A sample C++ implementation is available in the sample/AuthServiceDemo subdirectory.
Jaguar's authorization model is based on roles. Roles are defined in Jaguar Manager. Each role can include and exclude specific user names and digital certificates. If you use native operating system authentication, you can also include and exclude operating system group names; all users in the specified group are affected.
Roles are attached to Jaguar packages and components. Attaching a role to a package controls access to all components in the package. In order to use a component, a user must be allowed by both the roles that are attached to the component and the roles that are attached to the package that contains the component.
See "Security Configuration" in the Jaguar CTS System Administration Guide for more information on defining roles.
Intercomponent call authorization using identities You can use identities to restrict intercomponent calls. Identities map logical identity names to a user name, password, and required SSL session characteristics. The identity names are used in the run-as mode settings for components and component methods.
Copyright © 2000 Sybase, Inc. All rights reserved. |