// -*- IDL -*- #ifndef _SECURITY_LEVEL_2_IDL_ #define _SECURITY_LEVEL_2_IDL_ #include #pragma prefix "omg.org" module SecurityLevel2 { # pragma version SecurityLevel2 1.8 // Forward declaration of interfaces local interface PrincipalAuthenticator; local interface Credentials; local interface Current; // Interface PrincipalAuthenticator local interface PrincipalAuthenticator { # pragma version PrincipalAuthenticator 1.8 Security::AuthenticationMethodList get_supported_authen_methods( in Security::MechanismType mechanism ); Security::AuthenticationStatus authenticate ( in Security::AuthenticationMethod method, in Security::MechanismType mechanism, in Security::SecurityName security_name, in any auth_data, in Security::AttributeList privileges, out Credentials creds, out any continuation_data, out any auth_specific_data ); Security::AuthenticationStatus continue_authentication ( in any response_data, in Credentials creds, out any continuation_data, out any auth_specific_data ); }; // Interface Credentials local interface Credentials { # pragma version Credentials 1.8 Credentials copy (); void destroy(); readonly attribute Security::InvocationCredentialsType credentials_type; readonly attribute Security::AuthenticationStatus authentication_state; readonly attribute Security::MechanismType mechanism; attribute Security::AssociationOptions accepting_options_supported; attribute Security::AssociationOptions accepting_options_required; attribute Security::AssociationOptions invocation_options_supported; attribute Security::AssociationOptions invocation_options_required; boolean get_security_feature ( in Security::CommunicationDirection direction, in Security::SecurityFeature feature ); boolean set_attributes ( in Security::AttributeList requested_attributes, out Security::AttributeList actual_attributes ); Security::AttributeList get_attributes ( in Security::AttributeTypeList attributes ); boolean is_valid (out Security::UtcT expiry_time); boolean refresh (in any refresh_data); }; typedef sequence CredentialsList; local interface ReceivedCredentials : Credentials { # pragma version ReceivedCredentials 1.8 readonly attribute Credentials accepting_credentials; readonly attribute Security::AssociationOptions association_options_used; readonly attribute Security::DelegationState delegation_state; readonly attribute Security::DelegationMode delegation_mode; }; local interface TargetCredentials : Credentials { # pragma version TargetCredentials 1.8 readonly attribute Credentials initiating_credentials; readonly attribute Security::AssociationOptions association_options_used; }; // RequiredRights Interface interface RequiredRights { void get_required_rights( in Object obj, in CORBA::Identifier operation_name, in CORBA::RepositoryId interface_name, out Security::RightsList rights, out Security::RightsCombinator rights_combinator ); void set_required_rights( in CORBA::Identifier operation_name, in CORBA::RepositoryId interface_name, in Security::RightsList rights, in Security::RightsCombinator rights_combinator ); }; // interface audit channel local interface AuditChannel { # pragma version AuditChannel 1.8 void audit_write ( in Security::AuditEventType event_type, in CredentialsList creds, in Security::UtcT time, in Security::SelectorValueList descriptors, in any event_specific_data ); readonly attribute Security::AuditChannelId audit_channel_id; }; // interface for Audit Decision local interface AuditDecision { # pragma version AuditDecision 1.8 boolean audit_needed ( in Security::AuditEventType event_type, in Security::SelectorValueList value_list ); readonly attribute AuditChannel audit_channel; }; local interface AccessDecision { # pragma version AccessDecision 1.8 boolean access_allowed ( in SecurityLevel2::CredentialsList cred_list, in Object target, in CORBA::Identifier operation_name, in CORBA::Identifier target_interface_name ); }; // Policy interfaces to control bindings local interface QOPPolicy : CORBA::Policy { # pragma version QOPPolicy 1.8 readonly attribute Security::QOP qop; }; local interface MechanismPolicy : CORBA::Policy { # pragma version MechanismPolicy 1.8 readonly attribute Security::MechanismTypeList mechanisms; }; local interface InvocationCredentialsPolicy : CORBA::Policy { # pragma version InvocationCredentialsPolicy 1.8 readonly attribute CredentialsList creds; }; local interface EstablishTrustPolicy : CORBA::Policy { # pragma version EstablishTrustPolicy 1.8 readonly attribute Security::EstablishTrust trust; }; local interface DelegationDirectivePolicy : CORBA::Policy { # pragma version DelegationDirectivePolicy 1.8 readonly attribute Security::DelegationDirective delegation_directive; }; local interface SecurityManager { # pragma version SecurityManager 1.8 // Process/Capsule/ORB Instance specific operations readonly attribute Security::MechandOptionsList supported_mechanisms; readonly attribute CredentialsList own_credentials; readonly attribute RequiredRights required_rights_object; readonly attribute PrincipalAuthenticator principal_authenticator; readonly attribute AccessDecision access_decision; readonly attribute AuditDecision audit_decision; TargetCredentials get_target_credentials ( in Object obj_ref ); void remove_own_credentials( in Credentials creds ); CORBA::Policy get_security_policy ( in CORBA::PolicyType policy_type ); }; // Interface Current derived from SecurityLevel1::Current providing // additional operations on Current at this security level. // This is implemented by the ORB local interface Current : SecurityLevel1::Current { # pragma version Current 1.8 // Thread specific readonly attribute ReceivedCredentials received_credentials; }; }; #pragma prefix "" module TAO { module SL2 { local interface AccessDecision : SecurityLevel2::AccessDecision { /* TAO-specific access_allowed that works around deficiencies in the SecurityLevel2::AccessDecision::access_allowed() operation. */ // Parameter object_id should be PortableInterceptor::ObjectId, but // using that type would require including the PI_Forward.pidl file. // By using the real type, we can avoid that dependency. boolean access_allowed_ex ( in ::CORBA::ORBid orb_id, in ::CORBA::OctetSeq adapter_id, in ::CORBA::OctetSeq object_id, in ::SecurityLevel2::CredentialsList cred_list, in ::CORBA::Identifier operation_name, in boolean collocation_invocation); /*! Default value returned when a reference is not in the list. */ attribute boolean default_decision; /*! Default value returned when a reference is not in the list and we are handling a collocated invocation. At the moment default_decision is already true the value of this attribute doesn't matter anymore. */ attribute boolean default_collocated_decision; /*! Establish whether a particular object can be accessed via insecure means. */ void add_object (in ::CORBA::ORBid orb_id, in ::CORBA::OctetSeq adapter_id, in ::CORBA::OctetSeq object_id, in boolean allow_insecure_access); void remove_object (in ::CORBA::ORBid orb_id, in ::CORBA::OctetSeq adapter_id, in ::CORBA::OctetSeq object_id); // Should there be some kind of "find" interface? }; }; }; #endif /* _SECURITY_LEVEL_2_IDL_ */