The CORBA Object Browser is an extension to a web browser that can be used to directly invoke methods on CORBA Objects using a specifically designed URI scheme. This poster presents a mechanism for supporting access to CORBA Objects that run on a secure ORB through the CORBA Object Browser. Accessing secure objects through the browser requires the authentication with the remote ORB and may also need secure communication.
CORBA Object Browser, Authentication, CORBA Security.
With the emergence of distributed object technology, there is an increasing agreement that the benefits of distributed object technology should be brought to the world wide web. We presented in [1, 2] an approach for making distributed objects available on the web as a first step toward integrating distributed objects and the web. Our approach is to access the CORBA objects from a browser directly without sending the request to a web server. No CGI wrapping for the CORBA applications is required if a browser can use IIOP to communicate with CORBA ORBs. We have developed a mechanism using which CORBA objects across the Internet can be accessed directly from a web browser without using HTTP for transport. We have designed an Uniform Resource Identifier (URI) scheme that can address CORBA objects [2]. The proposed URI scheme supports embedding method and parameter names and also the values for required parameters in the URL.
Restricting access for certain services to only authorized users is a basic requirement for many services that are accessed through the Internet. Normally, a CORBA object can be accessed by any CORBA client program that can reach the ORB on which the server object is available. CORBA application developers can make use of the CORBA Security Service for restricting access to some or all the objects available on an ORB. The authentication and access control can be managed by the CORBA Security Manager and the objects need not to have code for enabling and managing security for their methods. Objects with similar security requirements can be grouped in the same security domain and they can share the same access control policy [3].
This poster presents a mechanism for incorporating basic authentication feature in the CORBA Object Browser for accessing objects available on the Secure ORBs.
A number of authentication mechanisms are supported in CORBA Security Service [4]. The simplest of these is username-password based authentication. In order to use a protected service, a CORBA client program needs to supply the correct username and password to the principal authenticator object on the server object's ORB. If the authentication is successful, a credential object is created and the reference to that object is returned to the client program. Now the client program can present this credential to access an object on the secure ORB. If this authenticated user is allowed the access to the object and method in question then the secure ORB invokes the request otherwise an exception is raised. An exception is also raised if a secure object is accessed without the authentication step.
To support this authentication mechanisms when the client is a browser, some issues have to be satisfactorily addressed. Key ones ares:
We've developed a proxy server that processes the IIOP requests on behalf of the browser. After receiving an URL, the proxy server works as follows. It parses the URL and extracts various components present in the URL. The proxy server then resolves the object name by querying the CORBA Naming Service, gets the interface information by querying the Interface Repository associated with the object. The interface information is used to verify the method and parameter names given in the URL and also to check whether the values for all the required parameters is given in the URL. The proxy server then generates the CORBA DII request and invokes the requested method on the object. If the proxy server catches the NO_PERMISSION exception then a 401 Authorization Required header is returned to the browser (communication between the browser and the proxy server takes place using HTTP). In this case the browser prompts the user for the username and password, and the information supplied by the user is passed to the proxy server using Authorization header of HTTP. Proxy server extracts the plain text username and password from the HTTP header and uses these values as the parameters of CORBA authentication function. This implementation assumes that the remote Security Service is registered as SecurityManager with the naming service referred in the URL.