Using CosNaming security
 Technote (FAQ)
 
Problem
More granular security control is needed over CosNaming functions.
 
Solution
CosNaming security offers more granular security control over CosNaming functions. CosNaming functions affect the content of the WebSphere name space. The functions are available on CosNaming servers such as the WebSphere Application Server Advanced Edition administrative server. There are generally two ways in which client programs can take CosNaming calls: through the JNDI interfaces; or by CORBA clients invoking CosNaming methods directly.

Version 4.0 FixPak 2 (4.0.2) introduces four new J2EE roles specifically for CosNaming security. You can manage these roles using J2EE role administration tools. The roles are--

CosNamingRead
Users assigned the CosNamingRead role can query the WebSphere name space, such
as through the JNDI lookup method.
CosNamingWrite
Users assigned the CosNamingWrite role can do write operations such as JNDI bind,
rebind, or unbind.
CosNamingCreate
Users assigned the CosNamingCreate role can create new objects in the name space
through operations such as JNDI createSubcontext.
CosNamingDelete
Users assigned the CosNamingDelete role can destroy objects in the name space using,
for example, the JNDI destroySubcontext method.

Attempts to do CosNaming operations without the proper role assignment results in an org.omg.CORBA.NO_PERMISSION exception from the CosNaming server.

WebSphere administrators must carefully evaluate use of their name space and assign roles accordingly. In most cases, users will need to be able to do JNDI lookups and, as such, administrators will need to assign the CosNamingRead role to the special subjects Everyone or All Authenticated Users. Note that each CosNaming function is assigned to only one role. Therefore, users assigned the CosNamingCreate role will not be able to query the name space unless they are also assigned the CosNamingRead role. In most cases, a creator needs to be assigned three roles: CosNamingRead, CosNamingWrite, and CosNamingCreate.

In WebSphere Application Server Advanced Edition, the CosNaming Security function is automatically part of the administrative server. The new roles are administrative roles which can be assigned using the Administrative Roles page of the Security Center. By default, WebSphere grants all roles to the special subject Everyone. It is highly recommended that administrators evaluate their name space usage for security concerns and restrict access if necessary.

In WebSphere Application Server Advanced Single Server Edition, the CosNaming Security function comes in the nssecure.jar installable application. It can be added to any server by installing the nssecure.jar application. As part of the installation, the new roles are available for assignment.
 
 
Historical Number
97809, 97810, 97810.RN
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): HP-UX
Software version: 4.0.2
Software edition:
Reference #: 1050198
IBM Group: Software Group
Modified date: Mar 8, 2002