4 — Operations on the SecurityReplaceable Interface

[Previous] [Next] [Table of Contents] [Index]

This chapter describes operations for SecurityReplaceable interfaces:

4.1 Operations on the Vault Interface
4.2 Obtaining a Reference to the Vault Object
4.3 Vault Operations

4.1 Operations on the Vault Interface

You can use the Vault interface to create credentials. This is useful when an application has the authentication data necessary to authenticate a client, such as when a client passes its username and password during SSL basic authorization. The Vault uses this data to generate credentials, which can then be used for object invocations or custom access checks.

The Vault does not change the own credentials of a process, as does the PrincipalAuthenticator::authenticate operation.

4.2 Obtaining a Reference to the Vault Object

To perform operations on Vault interfaces, the application must first obtain a reference to the Vault object. To do so:

  1. Call resolve_initial_references and pass in the name SecurityVault.

  2. When the object reference is returned, narrow it as appropriate.

4.3 Vault Operations

NetCrusader/CORBA supports a single operation on the Vault interface:

acquire_credentials

acquire_credentials

The acquire_credentials operation authenticates principals and creates credentials. NetCrusader/CORBA supports Kerberos security and several authentication methods. Each authentication method requires a different type of authentication data to be passed in the auth_data parameter.

Syntax

IDL 

AuthenticationStatus acquire_credentials(
   in    AuthenticationMethod    method,
   in    MechanismType           mechanism,
   in    SecurityName            security_name,
   in    Opaque                  auth_data,
   in    AttributeList           privileges,
   out   Credentials             creds,
   out   Opaque                  continuation_data,
   out   Opaque                  auth_specific_data
);

Parameters

method
Identifier of the authentication method used. NetCrusader/CORBA supports the authentication methods:

SecurityExtension::AuthMethodNone
SecurityExtension::AuthMethodKeytab
SecurityExtension::AuthMethodPassword
SecurityExtension::AuthMethodLoginContext

mechanism
Security mechanism to be used to create the credentials. Use SecurityExtension::TAG_KerberosV5_SEC_MECH_TYPE.

security_name
Principal name. See the following table for values.

If method is...

security_name is...

SecurityExtension::AuthMethodNone

Null.

SecurityExtension::AuthMethodKeytab

Principal name to be authenticated.

SecurityExtension::AuthMethodPassword

Principal name to be authenticated.

SecurityExtension::AuthMethodLoginContext

Null.

auth_data
Authorization data. This is an opaque value that depends upon the method in use. See the following table for values.

If method is...

auth_data is...

SecurityExtension::AuthMethodNone

Empty.

SecurityExtension::AuthMethodKeytab

Keytable file name.

SecurityExtension::AuthMethodPassword

String password.

SecurityExtension::AuthMethodLoginContext

Security server login context (sec_login_handle_t value).

privileges
Not used.

creds
Reference to the newly-created Credentials object. It is not fully initialized. Therefore, it is unusable unless the return value is SecAuthSuccess.

continuation_data
Not used.

auth_specific_data
Not used.

Return Value

SecAuthSuccess — Authentication was successful. An object reference to the newly-created Credentials object is available in the creds parameter.

SecAuthFailure — Authentication data was inconsistent or erroneous and a Credentials object was not created.

[Previous] [Next] [Table of Contents] [Index]

To make comments or ask for help, contact support@gradient.com.

Copyright © 1999 Gradient Technologies, Inc.