Chapter 35 Role and Authorization Service Components

Using role-based access control

You can install your own service component that performs access control based on role membership. The component must implement the CtsSecurity::RoleService IDL interface.

Use Jaguar Manager to install the role service component in the server. Refer to Chapter 33, "Creating Service Components" for information about service components.

Use Jaguar Manager to enable the authorization service. You can write an implementation of the RoleService interface and configure a server-level role service by setting the com.sybase.jaguar.server.roleservice property to the URL that accesses the component that implements this interface. Set this property using the All Properties tab of the Server Properties window.

There are two accepted forms for the URL:

• You can set the URL to the JaguarPackage/JaguarComponent if the component is a Java CORBA, C++ CORBA, Stateless COM or PowerBuilder NVO. The component must be installed in the server.
  For example, to set the role check service, set the server-level property to com.sybase.jaguar.server.roleservice =Security/RoleService where Security is the name of the Jaguar package that contains the RoleService component that implements the RoleService interface.
  
• You can access Java CORBA and C++ CORBA components using the pseudocomponent object URL. The syntax for a Java pseudocomponent is:
  

  pseudo://java/JavaClass/JaguarPackage/JaguarComponent

  
  
  The syntax for a C++ pseudocomponent is:
  
  

  pseudo://cpp/SharedLibraryName/JaguarPackage/JaguarComponent

  
  
  You can also set the authorization service property to the pseudocomponent object URL. For example, you can set the server-level authorization service to:
  
  

   pseudo://cpp/libAuthorize/Security/RoleService 

  
  
  where libAuthorize is the name of the shared library that contains the C++ Security/RoleService component's implementation.
  
  Components implemented for pseudocomponent access must be thread-safe. Pseudocomponents cannot be refreshed. You must restart the Jaguar Server to refresh the role service component.
  
  For more information on Jaguar pseudocomponents, refer to Chapter 34, "Creating and Using Jaguar Pseudocomponents".
  

Usage

                    interface RoleService {
                         boolean isMember(
                              in CtsSecurity::SessionInfo sessionInfo,
                              in string role); 
                     };

isMember checks if the authenticated client is a member of the role. The client's credentials are obtained from sessionInfo. Membership checks are first performed by the server and if the user is not a member of the given role, isMember is invoked. The result from this method is cached by the server, where it can be referenced for the same client/role combination, provided the internal cache has the relevant information.

For more information, see the CtsSecurity::RoleService IDL interface documentation.

Copyright © 2000 Sybase, Inc. All rights reserved.