transportsecurity.idl

MICO2.3.13 corba 环境平台

     */
    local interface TargetCredentials : TransportCredentials {

        readonly attribute SL3CM::ContextId                        context_id;
        readonly attribute SL3PM::Principal        client_principal;
        readonly attribute SL3PM::StatementList    client_supporting_statements;
        readonly attribute SL3PM::ResourceNameList client_restricted_resources;
        readonly attribute SL3PM::Principal        target_principal;
        readonly attribute SL3PM::StatementList    target_supporting_statements;
        readonly attribute SL3PM::ResourceNameList target_restricted_resources;
	readonly attribute SL3PM::PrinAttributeList         environmental_attributes;
        readonly attribute OwnCredentials                   parent_credentials;
        readonly attribute boolean                          client_authentication;
        readonly attribute boolean                          target_authentication;
        readonly attribute boolean                          confidentiality;
        readonly attribute boolean                          integrity;
        readonly attribute boolean                          target_embodied;
        readonly attribute boolean                          target_endorsed;
    };
    
    //--------------------------------------------------------------------
    // Transport Security Credentials Acquisition Mechanism
    // 
    //--------------------------------------------------------------------

    /**
     * This type specifies the transport mechanisms, which is used for
     * acquiring Credentials such as TCPIP, TLS, SECIOP-Kerberos.
     *
     * NOTE: Currently Supported, "TCPIP", "TLS".
     */
//      typedef string MechanismId;
//      typedef sequence<MechanismId> MechanismList;

    /**
     * An object of this interface is created by the CredentialsCurator
     * in managing the acquisition of an OwnCredentials object. The 
     * acquisition process, determined by the acquisition method, may
     * be a multistep process.
     */
    local interface CredentialsAcquirer {

        /**
         * The mechanism for which these credentials are being
         * acquired, such as "TLS".
         */

	// begin of ObjectSecurity removal

//          readonly attribute SL3CM::MechanismId       mechanism_id;
        /**
         * The acquisition_method field contains the acquisition method
         * identifier naming the method by which these credentials
         * are being acquired.
         */
//          readonly attribute SL3CM::AcquisitionMethod acquisition_method;

	// end of ObjectSecurity removal

        /**
         * This call is used to retrieve the acquired OwnCredentials
         * and place the credentials on the curator's own
         * credentials list.
         *
         * @param on_list  True if these credentials go on the default
         *                 list of credentials.
         */
        OwnCredentials get_credentials(
            in boolean on_list
        );
        
        /**
         * This operation is used to destroy the object before
         * get_credentials is called.
         */
        void destroy();
    };

    /**
     * The CredentialsCurator object is a single object per an ORB
     * instance's Transport Security Service. It is retrieved by
     * <p>
     * ORB.resolve_initial_references("TransportSecurity:CredentialsCurator");
     * <p>
     * It has the ability to create
     * CredentialsAcquirers and keeps a list of active default credentials.
     */
    local interface CredentialsCurator {
        
        /**
         * This attribute lists the transport mechanism that are
         * supported, such as TCPIP, TLS, SECIOP-Kerberos.
         */

	// begin ObjectSecurity removal

//          readonly attribute SL3CM::MechanismList supported_mechanisms;
       
        /**
         * This attribute lists the supported acquisition methods
         * for the particular mechanism.
         */ 
//          SL3CM::AcquisitionMethodList get_supported_acquisition_methods(
//              in SL3CM::MechanismId mech_id
//          );

	// end of ObjectSecurity removal
        
        /**
         * This operation creates a CredentialAcquirer for a 
         * particular supported mechanism and
         * acquisition methods, with an "initial" set of arguments.
         * The initial arguments, allow for instant reaping of the
         * credentials from the Acquirer should the 
         * acquisition status indicate success.
         */

	// begin of ObjectSecurity change

        CredentialsAcquirer acquire_credentials(
            in SL3AQArgs::Argument acquisition_arguments
        );

	// end of ObjectSecurity change
        
        /**
         * This is the default list of own credentials.
         */
        readonly attribute OwnCredentialsList default_creds_list;
        
        /**
         * This operation retrieves the OwnCredentials, if still
         * available by its credentials identifier.
         */
        OwnCredentials get_own_credentials(
            in SL3CM::CredentialsId       creds_id
        );
        
        /**
         * This operation removes the own credentials from the
         * default_creds_list. However, it does not release
         * the credentials. A BAD_PARAM exception is thrown 
         * if the credentials are not on the default credentials
         * list.
         */
        void remove_credentials(
            in SL3CM::CredentialsId      creds_id
        );
        
        /**
         * This operation provides management of the own credentials 
         * list, since the own credentials list is used as default
         * credentials policy. This should be to remove the credentials
         * from the default_credentials_list, if there, and calls
         * release() on the credentials. A BAD_PARAM exception is
         * thrown if the credentials do not exist.
         */
        void release_credentials(
            in SL3CM::CredentialsId       creds_id
        );

    };
    
    //--------------------------------------------------------------------
    // Transport Security Service ORB Objects
    //     Retrieved from the ORB by "resolve_initial_references".
    // 
    //--------------------------------------------------------------------

    local interface ContextEstablishmentPolicy;

    local interface ObjectCredentialsPolicy;

    /**
     * The SecurityManager holds TransportSecurity Service information
     * and operations.
     * The SecurityManager object is retrieved by
     * <p>
     * ORB.resolve_initial_references("TransportSecurity:SecurityManager");
     * <p>
     * It holds a pointer to the transport credentials curator and
     * is able to get the transport credentials for a target object.
     */
    local interface SecurityManager {

        /**
         * The credentials_curator attribute holds the reference to
         * TransportSecurity's Credentials Curator,
         * which is used to acquire own Credentials.
         */
        readonly attribute CredentialsCurator credentials_curator;
        
        /**
         * The get_target_credentials operation is used to
         * "discover" the credentials for a target object.
         */
        TargetCredentials get_target_credentials(
            in  Object          the_object
        );

        /**
         * The create_context_estab_policy operation
         * is a factory operation that creates the
         * ContextEstablishmentPolicy object.
         */
        ContextEstablishmentPolicy create_context_estab_policy(
            in SL3CM::CredsDirective     creds_directive,
            in OwnCredentialsList creds_list,
            in SL3CM::FeatureDirective   use_client_auth,
            in SL3CM::FeatureDirective   use_target_auth,
            in SL3CM::FeatureDirective   use_confidentiality,
            in SL3CM::FeatureDirective   use_integrity
        );

        /**
         * This is a factory operation that creates the
         * ObjectCredentialsPolicy object. ObjectCredentialsPolicy
         * is used during the creation of a Portable Object
         * Adapter (POA) to specify the credentials that are
         * behind objects created by that POA. This allows the
         * Credentials' information to appear in the object
         * references IOR.
         */

        ObjectCredentialsPolicy create_object_creds_policy(
            in OwnCredentialsList   creds_list
        );
    };
    
    /**
     * The SecurityCurrent object holds thread based security information.
     * The SecurityCurrent object is retrieved by
     * <p>
     * ORB.resolve_initial_references("TransportSecurity:SecurityCurrent");
     * <p>
     * It is able to get the ClientCredentials that represents
     * the transport association with the client during a request.
     */
    local interface SecurityCurrent {

        /**
         * The client_credentials attribute returns the ClientCredentials
         * that represents the threads security association with the
         * remote client. If this is a CSIv2 only based request, this
         * attribute will be null. This attribute will also be null if
         * the thread is purely a client thread.
         */
        readonly attribute ClientCredentials client_credentials;
    };

    //--------------------------------------------------------------------
    // Transport Security Invocation Policy
    // 
    //--------------------------------------------------------------------

    /**
     * The ContextEstablishmentPolicyType constant is 
     * holds value used to denote the ContextEstablishmentPolicy.
     */
    const CORBA::PolicyType ContextEstablishmentPolicyType = ADIRON_VMCID | 2001;
    
    /**
     * The ContextEstablishmentPolicy policy object directs the
     * establishment of security contexts with a target.
     * <p>
     * The CredsDirective usage is the following:
     * <dl>
     * <dt>
     * CD_Default
     * <dd>
     *       This directive means to use the default set
     *       up by the thread, the  ORB, the ORB configuration
     *       or other policies.
     * <dt>
     * CD_InvokeTarget
     * <dd>
     *       This directive means to use the
     *       the specified OwnCredentials to create a 
     *       secure association with the target
     *       before invocation. Do not endorse or embody the target.
     *       Credentials may be IT_Simple, IT_Quoting, or IT_Proxy.
     * <dt>
     * CD_EndorseTarget
     * <dd>
     *       This directive means to use the 
     *       the specified OwnCredentials to create a 
     *       secure association with the target
     *       before invocation. 
     *       The credentials must be
     *       IT_Simple, IT_Quoting, or IT_Proxy own credentials 
     *       that supports endorsement.
     *       Note, a Initiator Credentials that is a IT_Proxy
     *       may have an endorsement statement that not only
     *       endorses this immediate client, but may very well
     *       apply to the next target.
     * <dt>
     * CD_EmbodyTarget
     * <dd>
     *       If possible give the target the ability to
     *       impersonate the client, is performed using
     *       transports that can forward their credentials
     *       in the transport that give the ability to the
     *       target to work in their own behalf. Alternatively,
     *       the authenticator may be able to be passed on.
     *       IT_Simple credentials must have or have the
     *       ability to forward credentials. This is analogous
     *       to flipping the DELEGATE bit on GSS-Kerberos Forwardable
     *       credentials. IT_Quoting principals means
     *       that you can forward the transport credentials,
     *       authenticator plus the Quoting statement.
     *       IT_Proxy principals means that you can forward
     *       the transport credentials, authenticator,
     *       and associated proxy statements.
     * </dl>
     * <p>
     * On using Own Credentials. The creds_ids name Own Credentials. 
     * Also, they restrict the invocation to use only certain credentials.
     * If the cred_ids list is empty, then the own credentials for the 
     * invocation are selected from a default, which may be 
     * set on the thread or the ORB instance.
     */
    local interface ContextEstablishmentPolicy : CORBA::Policy {

        readonly attribute OwnCredentialsList  creds_list;
        readonly attribute SL3CM::CredsDirective      creds_directive;
        readonly attribute SL3CM::FeatureDirective    use_client_auth;
        readonly attribute SL3CM::FeatureDirective    use_target_auth;
        readonly attribute SL3CM::FeatureDirective    use_confidentiality;
        readonly attribute SL3CM::FeatureDirective    use_integrity;
    };

    /**
     * This policy is placed on a POA to indicate the own credentials
     * that govern the accepting contexts for objects underneath
     * that POA. The credentials listed here, if they have Accepting
     * capability, are used to created security components in the 
     * IOR of the object's reference when created.
     */

    local interface ObjectCredentialsPolicy : CORBA::Policy {

        readonly attribute OwnCredentialsList   creds_list;
    };
    

    /**
     * The ObjectCredentialsPolicyType constant is 
     * holds value used to denote the ObjectCredentialsPolicy.
     */
    const CORBA::PolicyType ObjectCredentialsPolicyType = ADIRON_VMCID | 2002;
};
#endif