|
Problem |
More granular security control is needed over CosNaming
functions. |
|
Solution |
CosNaming security offers more granular security control
over CosNaming functions. CosNaming functions affect the content of the
WebSphere name space. The functions are available on CosNaming servers
such as the WebSphere Application Server Advanced Edition administrative
server. There are generally two ways in which client programs can take
CosNaming calls: through the JNDI interfaces; or by CORBA clients invoking
CosNaming methods directly.
Version 4.0 FixPak 2 (4.0.2) introduces four new J2EE roles specifically
for CosNaming security. You can manage these roles using J2EE role
administration tools. The roles are--
CosNamingRead
Users assigned the CosNamingRead role can query the WebSphere name space,
such
as through the JNDI lookup method.
CosNamingWrite
Users assigned the CosNamingWrite role can do write operations such as
JNDI bind,
rebind, or unbind.
CosNamingCreate
Users assigned the CosNamingCreate role can create new objects in the
name space
through operations such as JNDI createSubcontext.
CosNamingDelete
Users assigned the CosNamingDelete role can destroy objects in the name
space using,
for example, the JNDI destroySubcontext method.
Attempts to do CosNaming operations without the proper role assignment
results in an org.omg.CORBA.NO_PERMISSION exception from the CosNaming
server.
WebSphere administrators must carefully evaluate use of their name space
and assign roles accordingly. In most cases, users will need to be able to
do JNDI lookups and, as such, administrators will need to assign the
CosNamingRead role to the special subjects Everyone or All Authenticated
Users. Note that each CosNaming function is assigned to only one role.
Therefore, users assigned the CosNamingCreate role will not be able to
query the name space unless they are also assigned the CosNamingRead role.
In most cases, a creator needs to be assigned three roles: CosNamingRead,
CosNamingWrite, and CosNamingCreate.
In WebSphere Application Server Advanced Edition, the CosNaming Security
function is automatically part of the administrative server. The new roles
are administrative roles which can be assigned using the Administrative
Roles page of the Security Center. By default, WebSphere grants all roles
to the special subject Everyone. It is highly recommended that
administrators evaluate their name space usage for security concerns and
restrict access if necessary.
In WebSphere Application Server Advanced Single Server Edition, the
CosNaming Security function comes in the nssecure.jar installable
application. It can be added to any server by installing the nssecure.jar
application. As part of the installation, the new roles are available for
assignment. |
|
|
|
Historical Number |
97809, 97810, 97810.RN |
|
|
|
|
|