IBM

11.12.3 CORBA naming service users and groups

The J2EE role-based authorization concept has been extended to protect the WebSphere CosNaming service. CosNaming security offers increased granularity of security control over CosNaming functions, which affects the content of the WebSphere name space. There are generally two ways in which client programs will make a CosNaming call. The first is through the JNDI interfaces. The second is CORBA clients invoking CosNaming methods directly.

The authorization policy is only enforced when administrative security is enabled. Before enabling security, you should design your entire security solution. See WAS V6.1 Security Handbook, SG24-6316 for information about designing and implementing WebSphere security.

You can design authorization based on users and groups of users defined to the active user registry. Design the authorization by assigning an authority level to one of the following:

- User

- Group

- ALL_AUTHENTICATED (special subject that acts as a group)

This means any user who authenticates by entering a valid user ID and password.

- EVERYONE (special subject that acts as a group)

All users are authorized. No authentication is necessary.

The roles now have authority level from low to high as follows:

- Users assigned the CosNamingRead role are allowed to do queries of the WebSphere Name Space, such as through the JNDI lookup method. The special subject "Everyone" is the default policy for this role.

- Users assigned to the CosNamingWrite role are allowed to do write operations, such as JNDI bind, rebind, or unbind, plus CosNamingRead operations. The special subject All_Authenticated is the default policy for this role.

- Users assigned to the CosNamingCreate role are allowed to create new objects in the Name Space through such operations as JNDI createSubcontext, plus CosNamingWrite operations. The special subject, All_Authenticated, is the default policy for this role.

- Users assigned to the CosNamingDelete role are able to destroy objects in the Name Space, for example, using the JNDI destroySubcontext method, as well as CosNamingCreate operations.

By default, you have the following:

- The ALL_AUTHENTICATED group has the following role privileges: CosNamingRead, CosNamingWrite, CosNamingCreate, and CosNamingDelete.

- The EVERYONE group has CosNamingRead privileges only.

Working with the CORBA naming service authorization is straightforward.

Redbooks ibm.com/redbooks

Next