Authentication process
Authentication is a process of establishing whether a client: a user, a machine or an application, is valid or not. The authentication process between client and server ORBs. The process can be summarized as follows:
- Client ORB calls the connection interceptor to create the connection.
The client ORB invokes the authentication protocol's client connection interceptor. It is used to read the tagged components in the Interoperable Object Reference (IOR) of the server-based object being requested. This is how the authentication policy is established. Once the policy has been established, the ORB will make the connection, with the optional addition of the SSL cipher.
- Client ORB calls the request interceptor to get client security information.
The client ORB invokes the client request interceptor once the connection has been established and sends security information other than what was established by the transport. This may include one of the following:
- A user ID and password token (authenticated by the server)
- An authentication mechanism-specific token (validated by the server)
- An identity assertion token (allows an intermediate to act on behalf of some identity other than itself)
This additional security information is sent with the message in a GIOP's service context. Once the client request interceptor finishes adding the service context to the message, the message is sent to the server ORB.
- Server ORB calls the request interceptor to receive the security information, authenticate, and set the received credential.
Upon receiving the message, the server ORB invokes the authentication protocol's server request interceptor, which looks for the service context.
- In case service context is found.
A method is invoked to the security server to validate the client identity. When the client identity is valid, a credential is returned. This credential contains additional information about the client, retrieved from the used user registry; and is used for authorization process. The authorization process determines whether the user is allowed to access an EJB resource or not.
- In case service context is not found.
The server request interceptor looks at the transport connection to see if a client certificate chain is supplied. This is the case when SSL client authentication is configured between the client and server. If such a certificate is found, the distinguished name (DN) is extracted and is mapped to an identity in the selected user registry.
- If the certificate does not map, no credential is created and the request is rejected.
If the certificate maps, but the presented security information is invalid, the method request is rejected and an exception is sent back with the reply.
If the certificate maps, but no security information is presented, an unauthenticated credential is created. Only EJB methods with no security roles or EJB methods with a special Everyone role can be accessed using this unauthenticated credential.
- Server ORB calls the request interceptor so that security can send information back to the client with the reply.
When the method invocation is completed, the server request interceptor is invoked again to complete the server authentication and a new reply service is created to inform the client request interceptor of the outcome.
- Client ORB calls the request interceptor so that the client can clean up and set the session status as good or bad.
The client request interceptor receives a reply from the server. The CSIV2 SAS supports both stateless and stateful security context. Stateless context exists only for the duration of the GIOP request that was used to establish the context. Stateful context endures until they are discarded. If a stateful is used, only the first request between a client and server requires that security information is sent. All subsequent method requests need to send a unique context ID only and the server can look up the credential stored in its session table.