Intercomponent authentication for EJBs and servlets  Client authorization

Chapter 2: Securing Component Access

Quality of protection

EAServer Manager allows you to set the quality of protection (QOP) for EAServer packages, components, and methods. QOP establishes a minimum level of encryption and authentication that a client must meet before it can access your business logic. For example, if you do not set a QOP at the package level, all clients can access the package. You can then set a QOP that restricts access to components within that package, and a different QOP that further restricts access to methods within those components.

This chapter discusses setting server-side QOP. For information about configuring client-side QOP, see:

NoteThe component’s QOP setting is ignored if the user is the system user; in other words, the user is jagadmin or the component is being called by a service or other component that runs with the system identity.

Naming service support

The client’s QOP, EAServer listener’s security profile, and the package, component, and method QOP work together to establish end-to-end security. To accommodate naming services and reduce connection time, a special CORBA component tag is set in the interoperable object reference (IOR). The naming service sends only profiles with QOPs that match a client’s QOP so that the client tries to access only listeners and packages, components, and methods for which the client has a compatible QOP.

Usage scenarios

Table 2-1 provides a hierarchy of QOP settings. For a given client to access your business logic:

Table 2-1: QOP hierarchy

QOP hierarchy from weaker to stronger


syb_osauth sybpks_domestic_anon sybpks_simple sybpks_simple_mutual_auth sybpks_intl sybpks_intl_mutual_auth sybpks_domestic sybpks_domestic_mutual_auth sybpks_strong sybpks_strong_mutual_auth

Some QOP profiles overlap. For example, sybpks_domestic supports both 128-bit encryption and 40-bit encryption. If you use sybpks_domestic as a package QOP, a client QOP of sybpks_intl meets the minimum requirement of 40-bit encryption. sybpks_strong supports only 128-bit encryption and is compatible with only one of the domestic or strong profiles.

For a list of CipherSuites supported by each QOP profile, see Table 13-2.

Figure 2-1 illustrates two clients trying to access component A. A QOP of sybpks_strong is set for the component. To access the component, the client must use a QOP that meets the minimum requirements of the component’s QOP, and communicate with a listener that also meets the minimum requirements of the component’s QOP.

Figure 2-1: QOP usage

In Figure 2-1:

Figure 2-2: QOP-compatible listener

Controlling access to methods

Assuming that a compatible listener is configured on the server, Figure 2-3 illustrates a situation in which the client:

Setting a weaker QOP at the method than the component serves no purpose since the client will already be blocked at the component.

Figure 2-3: Using QOP to limit access to methods


In addition to setting a QOP that establishes minimum encryption requirements, Jaguar provides another QOP, syb_osauth, for operating system authentication. You can set two QOP settings at the package, component, or method level, as long as one of them is syb_osauth:

NoteFor syb_osauth to work properly, you must enable operating-system- based authentication server-wide (not at the listener level). If you do not, you cannot load packages, components, or methods that have the syb_osauth QOP set. See “Configuring OS authentication” for information about enabling authentication for your operating system.

In Figure 2-4:

Figure 2-4: Using syb_osauth

StepsConfiguring QOP from EAServer Manager

Highlight the package, component, or method for which you want to establish a QOP.

  1. Select File | Package, Component, or Method Properties.

  2. Select the Advanced tab and set:

  3. If the property already exists, you can highlight it and click Modify. Otherwise, click Add.

  4. Enter the appropriate property name in the Property Name field and one (or two if using syb_osauth) of the values from Table 2-1 in the Property Value field.

After configuring QOP, you must either refresh or restart the server for your changes to take effect.

Copyright © 2005. Sybase Inc. All rights reserved. Client authorization