Using a custom authentication service  Using a custom authorization service

Chapter 10: Creating and Using Custom Security Components

Using a custom role service

You can install your own component that performs access control based on role membership. The component must implement the CtsSecurity::RoleService IDL interface. Your custom role service evaluates user membership in EAServer roles, so authorization in your application is still dependent on the role names associated with a package, component, method, or Web resource collection. Using a role service eliminates the need to define role memberships in EAServer Manager. For example, you might code your component to retrieve role membership information from a database.

Creating a role service

The role service must be a stateless component that implements the CtsSecurity::RoleService IDL interface:

                    interface RoleService {
                         boolean isMember(
                              in CtsSecurity::SessionInfo sessionInfo,
                              in string role); 

isMember checks if the authenticated client is a member of the role. The client’s credentials are obtained from sessionInfo. The server first checks if the role is defined in the repository. If the role is defined, then membership checks are performed. If the role is not defined, the server assumes that the user is not a member of the role, and the role service is invoked. The result from this method is cached by the server, where it can be referenced for the same client/role combination, provided the internal cache has the relevant information.

For more information, see the generated CtsSecurity::RoleService IDL interface documentation.

Installing the role service

Use EAServer Manager to enable the role service. You can write an implementation of the RoleService interface and configure a server-level role service by setting the property to the URL that accesses the component that implements this interface. Set this property using the Advanced tab of the Server Properties window.

There are two accepted forms for the URL:

Copyright © 2005. Sybase Inc. All rights reserved. Using a custom authorization service