Chapter 10: Creating and Using Custom Security Components  Using a custom role service

Chapter 10: Creating and Using Custom Security Components

Using a custom authentication service

You can install your own component to authenticate clients for any EAServer. For example, if you require the client user name to match a remote database user name, you can code the component to retrieve the client user name and password and attempt to log in to the remote database.

The component must implement the CtsSecurity::AuthService IDL interface, and you must set the server property to specify the name of your component (this property must be set using the Advanced tab in the Server Properties dialog).

This interface contains the method, checkSession. Your code for this method can check the client’s user name and password and the status of other authentication checks, that is, whether the client’s credentials have passed OS authentication or SSL authentication checks. Your code can perform additional authentication checks and auditing. For more information, see the documentation for the CtsSecurity::AuthService IDL interface.

A sample Java implementation is provided in the EAServer html/classes/Sample/AuthServiceDemo directory in your EAServer installation. A sample C++ implementation is available in the sample/AuthServiceDemo subdirectory.

Maintaining authenticated sessions

EAServer provides a mechanism by which applications can extend and maintain the authenticated session beyond the lifetime enforced by EAServer. This mechanism uses the methods CtsSecurity::SessionInfo::setName and CtsSecurity::AuthService::getCallerPrincipal.

If these methods are implemented, then you must also handle the authorization of the user by either implementing a role service or authorization service. The internal role checking performed by EAServer will not work unless the alternate user name is added to the authorized user’s list for the role. As the alternate user name that is set using the setName API can be dynamic, the role service or authorization service should work in tandem with the authentication service to authorize the user.

CtsSecurity::SessionInfo::setName is a method that can be called only when your custom authentication component is running. When this method is called from the custom authentication component, the server sets the reference to the authenticated security credentials. When the client needs to be authenticated again, the custom authentication component returns the original principal name by calling CtsSecurity::AuthService::getCallerPrincipal(string alternate_name).

The CtsSecurity::SessionInfo::setName method has no effect if clients obtain component instances using CSIv2. If you are using CSIv2, you must use a JAAS module in addition to an authentication or other component. See Chapter 11, “Using the JAAS API” for more information.

For more information, see the documentation for the CtsSecurity::AuthService and CtsSecurity::SessionInfo IDL interface.

Retrieving HTTP session information

In a custom authentication component implemented in Java, you can call the method to retrieve the HTTP servlet request (if any) that triggered the authentication event. This method returns null if the authentication event is not associated with an HTTP request (for example, if the authentication is for a component invocation).

Copyright © 2005. Sybase Inc. All rights reserved. Using a custom role service