Back to Notification Service Examples Page Back

Notification Service Security Example: RetrieveChannel

Description

This example demonstrates how the security feature of the Notification Service can be used. The example simulates a real-world situation where only certain privileged users can create notification channels. The example incorporates three security scenarios:

Note: All three example scenarios must be run in the order that they listed above.

This example uses a single program: RetrieveChannel.java locates an unused event channel and attempts to use it. It can take an optional argument which it uses as its credential. If no argument is provided, then a default credential is used. The program uses two operations on the org.omg.CosNotifyChannelAdmin.EventChannelFactoryOperations interface.

The first, get_event_channel, is used to locate a new unused event channel. The second, create_channel, is used to create a new event channel.

How To Run This Example: Without Access Control

  1. Start the OpenFusion Administration Manager from the <INSTALL_DIR>/bin directory:
    manager
  2. Start the Notification Service.
  3. If using an ORB which requires persistent POAs to be registered before they can be activated, ensure that the OpenFusion.NotificationRetrieveChannel POA is registered.
  4. Run the RetrieveChannel program at the command prompt as follows:
    run com.prismt.cos.CosNotification.examples.Security.RetrieveChannel

    The RetrieveChannel program will attempt to create a new event channel. It will display "Event channel created and returned successfully" upon successful execution of the program.

How To Run This Example: With Access Control Enabled

Securing a single method

  1. Stop the Notification Service.
  2. Select the Notification Service from the Object Hierarchy of the Administration Manager to display the Notification Service properties.
  3. Select the Security tab from the options pane and enable the Security Enabled property by clicking on its check box.
  4. Enter the location of each of the security configuration files in each of the entry boxes found under the Security Enabled check box. For this example, the supplied Security example configuration files will be used. The locations of these files are listed below and where <INSTALL_DIR> is the OpenFusion installation directory.

    XMLGroupPersistence file:<INSTALL_DIR>/examples/config/grouppersistence.xml
    XMLPrincipalPersistence file:<INSTALL_DIR>/examples/config/principalpersistence.xml
    JAASConfigurationFile file:<INSTALL_DIR>/examples/config/jaas_config
    XMLACLPersistence file:<INSTALL_DIR>/examples/config/accessentry.xml
    SecurityCredentialFile file:<INSTALL_DIR>/examples/userdata.xml
    SecurityPropertiesFile file:<INSTALL_DIR>/examples/config/SecurityProperties.xml
  5. Restart the Notification Service.
  6. Right-click on the Notification Singleton found under the Notification Service node and select Notification Service Manager from the pop-up menu.
  7. Under the Notification Service node in the Notification Service Manager, right-click on the Event Channel Factory and select Security Administration Manager.
  8. Expand the instance node found in the Security Administration Manager.
  9. Expand the org.omg.CosNotifyChannelAdmin.EventChannelFactoryOperations interface node in the left pane. This will provide you with a list of operations that are contained within this interface. Click on the create_channel operation. This will display the security principals that are associated with the operation. None should be present at this stage.
  10. Add a new principal called "adminuser" by entering it into the box entitled Enter principal to be added and clicking on Add. This action implies that only subjects with the adminuser principal can access this operation. Any other subjects not containing the principals required by the operation will be denied access.
  11. Click the Security Administration Manager save icon (a floppy disk with the letters SAE) on the toolbar to save the security configuration.
  12. Access the Administration Manager and select the Notification Service and the Security tab. Click the Reload Security Configuration button to ensure the changes are picked up on the server.
  13. Run the RetrieveChannel program at the command prompt as follows:
    run -s com.prismt.cos.CosNotification.examples.Security.RetrieveChannel

    The RetrieveChannel program should attempt to create an event channel. The program successfully locates an unused event channel as we have not secured the get_event_channel method. However, it fails to create a new event channel, displaying the message "Permission not granted to create a channel". This is because we do not have the correct credentials to execute the create_channel method.

  14. Now, rerun the RetrieveChannel program, but this time providing the credential adminuser and the password adminPass.
    run -s com.prismt.cos.CosNotification.examples.Security.RetrieveChannel adminuser adminPass

    The RetrieveChannel program should create a new event channel successfully, displaying the message "Event channel created and returned successfully".

Securing an entire interface

  1. Right-click on the Notification Singleton found under the Notification Service node and select Notification Service Manager from the pop-up menu.
  2. Under the Notification Service node in the Notification Service Manager right-click on the Event Channel Factory and select Security Administration Manager.
  3. Expand the instance node found in the Security Administration Manager.
  4. Click on the org.omg.CosNotifyChannelAdmin.EventChannelFactoryOperations interface node in the left pane. This will display the security principals that are associated with this interface. None should be present at this stage.
  5. Add a new principal called "rootuser" by entering it into the box entitled Enter principal to be added and clicking on Add. This action implies that only subjects with the rootuser principal can access operations on this interface. Any other subjects not containing the principals required by this interface will be denied access.
  6. Select the create_channel operation, then right-click and select Delete Access Entry. Click OK when asked to confirm deletion.
  7. Click the Security Administration Manager save icon (a floppy disk with the letters SAE) on the toolbar to save the Security configuration.
  8. Access the Administration Manager, select the Notification Service and the Security tab. Click the Reload Security Configuration button to ensure that the changes are picked up on the server.
  9. Run the RetrieveChannel program at the command prompt as follows:
    run -s com.prismt.cos.CosNotification.examples.Security.RetrieveChannel

    The RetrieveChannel program should attempt to create an event channel. However, it should fail and display the message "Permission not granted to retrieve a channel". This is because the correct credentials have not been provided for allowing execution any operation on the org.omg.CosNotifyChannelAdmin.EventChannelFactoryOperations interface. The program requires this interface to locate an unused channel and create a new channel.

  10. Now, re-run the RetrieveChannel program, this time providing the credential rootuser and the password rootPass.
    run -s com.prismt.cos.CosNotification.examples.Security.RetrieveChannel rootuser rootPass

    The RetrieveChannel program should create a new event channel successfully and display the message "Event channel created and returned successfully".


PrismTech TOP
Top