[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re^2: Security extension: first announcement + RFC
Hi Marcel!
> Some points i did not understand or i am concerned with:
>
> - Which interfaces are on the client side, and which
> are on the server side
Up to now, none of them. But it's conceivable to locate them on client
side, too.
Client side doesn't mean client-idl! Instead it's an api in the clients
helper classes.
E.g. in case of private/public-key, it would be possible to use the same
plugin in the
server and the client. Sure, it's up to the programmer to keep it
symmetrical.
> - Language neutral setup (what about a Python or a C++ client)
> How would xmlBlaster.idl look like after the changes?
module serverIdl
{
// ...
module authenticateIdl
{
interface AuthServer
{
// DEPRECATED
�serverIdl::Server login(in string loginName, in string passwd,
in serverIdl::XmlType qosClient)
raises (serverIdl::XmlBlasterException);
/**
* The successor of login
* at param qos The well known qos with additional information like:
* username, passwords, tickets, keys, certificates...
* ...
*/
serverIdl::Server init(in serverIdl::XmlType qos)
raises (serverIdl::XmlBlasterException);
// DEPRECATED
void logout(in serverIdl::Server xmlBlaster) raises
(serverIdl::XmlBlasterException);
/**
* The successor of login
* at param xmlBlaster
* at param qos Security information which show the clients
identity, because the client
* doesn't want to be disconnected by anyone else.
*/
void disconnect(in serverIdl::Server xmlBlaster, in
serverIdl::XmlType qos)
raises (serverIdl::XmlBlasterException);
/**
* NEW
* Returns information about the used plugin and its requirements
(password, certificates ...)
* Example:
* <plugin type="KERBEROS" version="4"></plugin>
* or
* <plugin type="PUBKEY"><KEY type="IDEA"
length="1024"/></plugin>
*/
serverIdl::XmlType getPluginInfo();
};
};
> - Extensible (generic interfaces) to allow future
> extensions without braking the contract of older
> clients with xmlBlaster
To be able to use older clients, the previous as deprecated marked are
not eliminated. Instead,
they must be wrapped to a standard plugin for user/password
authentication with no crypto extensions.
Using the new approach, the client has to ask which plugin is used by
the server ...
Changing the plugin may cause difficulties. Example: If the client has
been written for a username/passwd authentication a change to kerberos
will not work. -> No access for the client.
> - Simple approach (as simple as possible - but not simpler)
Yepp. A more generic approach would have been GSS etc., but they are -in
my opinion- to komplex.
This seems to be the best compromise.
> Can you provide a code snippet how a client would
> access xmlBlaster with a simple login name/password approach
> and as another example using public/private keys?
Okay, I will supply them later ...
cu,
Wolfgangbegin:vcard
n:Kleinertz;Wolfgang
x-mozilla-html:FALSE
url:www.doubleSlash.de
org:doubleSlash Net-Business GmbH
adr:;;Müllerstraße 12/1 ;Friedrichshafen;Baden-Württemberg;88045;Deutschland
version:2.1
email;internet:Wolfgang.Kleinertz at doubleSlash.de
x-mozilla-cpt:;-3360
fn:Wolfgang Kleinertz
end:vcard