1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
|
//tabstop=4
//***********************************************************************
// ORBAsec SL3
// ----------------------------------------------------------------------
// Copyright (C) 2001 Adiron, LLC.
// All rights reserved.
// ----------------------------------------------------------------------
// $Id$
//***********************************************************************
#ifndef _SL3CSIArgs_IDL_
#define _SL3CSIArgs_IDL_
#include <SL3/SecurityLevel3.idl>
#include <SL3/Trust.idl>
#include <SL3/UserPassword.idl>
#include <SL3/TransportSecurity.idl>
#include <SL3/SL3AQArgs.idl>
#include <SL3OMG/ATLAS.idl>
#include <SL3/SL3Authorization.idl>
#include <SL3/ATLASCache.idl>
#pragma prefix "adiron.com"
/**
* This module contains structures and a factory interface to
* create tagged argument lists that will be given to the
* args parameter of the SecurityLevel3::CredentialsCurator.
* <p>
* ORBAsec SL3 uses this kind of mechanism because it is the
* easiest way to represent optional arguments.
* <P>
* To alleviate the hassles of dealing with any's and creating
* them, there is a factory retrieved by ORB::resolve_initial_references
* using "SL3:ArgumentFactory". From this object one may create an
* acquisition argument builder. This approach takes most of the work
* out of forming the Credentials acquisition argument.
* The form of the arguments and their requiredness or optionality
* are defined by the specific acquisition mechanisms using them.
*
* The Credentials Acquired with these arguments handle the
* CORBA CSIv2 protocol.
*/
module SL3CSI {
/**
* There is currently only one acquisition method for
* CSI based Credentials.
*/
const SecurityLevel3::AcquisitionMethod AQM_CSIArgs = "CSIArgs";
/**
* An object of this interface is created by the Argument Factory Object.
* It aids in creating the Credentials Acquisition Argument for
* CSI based Credentials.
*/
local interface CSIArgBuilder : SL3AQArgs::GenericArgBuilder {
/**
* This operation explicitly disables caching of ATLAS tokens.
* This is used in the case where CSI credentials are needed
* in order to communicate with an external cache. If cacheing
* were enabled in this case, then there would be a cache for
* the cache, which gets recursively messy.
*/
void addSetNoLocalCache();
/**
* This operation adds an already existing ATLASCache as an
* acquisition argument. This is used in the case where an
* externalized cache is to be used. If a cache is not
* explicitly added to the argument, then a new cache will
* be created by the Credentials Curator.
*/
void addATLASCache(
in ATLASCache::AuthTokenCache cache
);
/**
* This operation places a user defined Password Generator
* in the acquisition argument.
*/
void addUserPasswordCAGenerator(
in UserPassword::PasswordGenerator generator
);
/**
* This operation places a user defined Password Processor
* in the acquisition argument.
*/
void addUserPasswordCAProcessor(
in UserPassword::PasswordProcessor processor
);
/**
* This operation causes the creation credentials that
* have a "quoted" principal. CSI Credentials of this
* type will assert the particular principal name to a server.
*/
void addNamedQuotedPrincipal(
in SecurityLevel3::PrincipalName principal_name
);
/**
* This operation causes the creation credentials that
* have a "quoted" principal. CSI Credentials of this
* type will assert the particular identity to a server.
*/
void addEncodedQuotedPrincipal(
in SecurityLevel3::IdentityStatement identity
);
/**
* This operation places a user defined Trust Decider in
* the acquisition argument.
*/
void addLocalTrustInServerDecider(
in Trust::LocalTrustInServerDecider trust_decider
);
/**
* This operation causes CSI Credentials to be created
* over a particular transport as if you created the
* transport credentials using the
* TransportSecurity::CredentialsCurator and used the
* addUseTransportCredentials operation of this object.
*/
void addTransportCredentialsAQArgs(
in TransportSecurity::MechanismId mechanism_id,
in TransportSecurity::AcquisitionMethod acquisition_method,
in any acquisition_arguments
);
/**
* This operation causes CSI Credentials to be created
* over a particular transport credentials that have
* already been created by using the
* TransportSecurity::CredentialsCurator.
*/
void addUseTransportCredentials(
in TransportSecurity::OwnCredentials credentials
);
/**
* This operation adds an ATLAS to your CSI Credentials.
* ATLAS is the Authorization Token Layer Acquisition Service.
* Each ATLAS represents a specific Authorization context, and
* is used to give your clients the ability to "log" in, and
* present credentials (i.e. an Authorization Token) for which
* to work the requests. It also gives the ability for clients
* to cache the tokens, so performance will be better.
* <p>
* None of the arguments can be null.
* <p>
* The cache_id is the caching Id, according to the ATLAS
* specification which must be unique to this authorization
* context, amongst all other authorization contexts. If you
* do not have a cache id, then this argument should be an
* empty octet sequence.
* <P>
* The token_dispenser is the ATLAS AuthTokenDispenser interface.
* This cannot be a "local" object.
* <p>
* The supports_delegation_by_client and requires_delegation_by_client
* arguments tell the client the way in which it
* will use the ATLAS. This
* information gets put in the ATLAS Profile, which is put
* in the IOR of the objects associated with the credentials.
* <p>
* The token_processor is the "sister" to the ATLAS, as it
* understands the tokens that the ATLAS ships out to clients.
* It is specific to the Authorization context. It may be
* a local object, but also can make remote calls.
*/
void addATLASObject(
in ATLAS::ATLASCacheId cache_id,
in ATLAS::AuthTokenDispenser token_dispenser,
in boolean supports_delegation_by_client,
in boolean requires_delegation_by_client,
in SL3Authorization::TokenProcessor token_processor
);
};
/**
* This interface is a factory for arguments that will
* be in use for ORBAsec credentials acquisition mechanisms.
* It is retrievable off the ORB at "SL3:ArgumentFactory"
*/
local interface ArgumentFactory {
/**
* Creates a new CSI Argument Builder object with the specified
* Credentials usage.
*/
CSIArgBuilder createCSIArgBuilder(
in SecurityLevel3::CredentialsUsage usage
);
/**
* This operation creates a Tagged Argument containing
* an flag that will disable the creation of the default
* ATLASCache.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createSetNoLocalCache();
/**
* This operation creates a Tagged Argument containing
* an ATLASCache implementation to use for caching ATLAS
* tokens.
* <p>
* For a description of the arguments, please see the
* corresponding operation in the CSIArgBuilder.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createATLASCache(
in ATLASCache::AuthTokenCache cache
);
/**
* This operation creates a Tagged Argument containing
* the following information for acquiring CSI credentials.
* <p>
* For a description of the arguments, please see the
* corresponding operation in the CSIArgBuilder.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createUserPasswordCAGenerator(
in UserPassword::PasswordGenerator generator
);
/**
* This operation creates a Tagged Argument containing
* the following information for acquiring CSI credentials.
* <p>
* For a description of the arguments, please see the
* corresponding operation in the CSIArgBuilder.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createUserPasswordCAProcessor(
in UserPassword::PasswordProcessor processor
);
/**
* This operation creates a Tagged Argument containing
* the following information for acquiring CSI credentials.
* <p>
* For a description of the arguments, please see the
* corresponding operation in the CSIArgBuilder.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createKerberosCAGenerator(
);
/**
* This operation creates a Tagged Argument containing
* the following information for acquiring CSI credentials.
* <p>
* For a description of the arguments, please see the
* corresponding operation in the CSIArgBuilder.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createKerberosCAProcessor(
);
/**
* This operation creates a Tagged Argument containing
* the following information for acquiring CSI credentials.
* <p>
* For a description of the arguments, please see the
* corresponding operation in the CSIArgBuilder.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createNamedQuotedPrincipal(
in SecurityLevel3::PrincipalName prin_name
);
/**
* This operation creates a Tagged Argument containing
* the following information for acquiring CSI credentials.
* <p>
* For a description of the arguments, please see the
* corresponding operation in the CSIArgBuilder.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createEncodedQuotedPrincipal(
in SecurityLevel3::IdentityStatement prin_name
);
/**
* This operation creates a Arg_TrustInServerDecider tagged
* argument.
*/
SL3AQArgs::Argument createLocalTrustInServerDecider(
in Trust::LocalTrustInServerDecider trust_decider
);
/**
* This operation creates a Tagged Argument containing
* the following information for acquiring CSI credentials.
* <p>
* For a description of the arguments, please see the
* corresponding operation in the CSIArgBuilder.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createTransportCredentialsAQArgs(
in TransportSecurity::MechanismId mechanism_id,
in TransportSecurity::AcquisitionMethod acquisition_method,
in any acquisition_arguments
);
/**
* This operation creates a Tagged Argument containing
* the following information for acquiring CSI credentials.
* <p>
* For a description of the arguments, please see the
* corresponding operation in the CSIArgBuilder.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createUseTransportCredentials(
in TransportSecurity::OwnCredentials credentials
);
/**
* This operation creates a Tagged Argument containing
* the following information for acquiring CSI credentials.
* <p>
* For a description of the arguments, please see the
* corresponding operation in the CSIArgBuilder.
*
* @see CSIArgBuilder
*/
SL3AQArgs::Argument createATLASObject(
in ATLAS::ATLASCacheId cache_id,
in ATLAS::AuthTokenDispenser token_dispenser,
in boolean supports_endorsement_by_client,
in boolean requires_endorsement_by_client,
in SL3Authorization::TokenProcessor token_processor
);
};
};
#endif
|
