Naming service security: CosNaming roles
The J2EE role-based authorization concept has been extended to protect the WebSphere CORBA naming service (CosNaming) to increase the granularity of its security control. In doing so, WebSphere will be able to get a better control for client program accessing the content of the WebSphere Name space. There are generally two ways in which client programs will make a CosNaming call:
- Through the JNDI interfaces
- If CORBA clients invoking CosNaming methods directly.
For some J2EE and thin Java application clients that use the JNDI or CosNaming method call to work, at least a CosNaming read role to the CosNaming service should be granted to everyone (this is the default setup for WebSphere).
Role Description Cos Naming Read Users will be allowed to perform queries of the WebSphere Name Space, such as through the JNDI lookup method. The special subject Everyone is the default policy for this role. Cos Naming Write Users will be allowed to perform write operations such as JNDI bind, rebind, or unbind, plus CosNamingRead operations. The special subject, AllAuthenticated, is the default policy for this role. Cos Naming Create Users will be allowed to create new objects in the Name Space through such operations as JNDI createSubcontext, and perform CosNamingWrite operations. The special subject AllAuthenticated is the default policy for this role. Cos Naming Delete Users will be able to destroy objects in the Name Space, for example using the JNDI destroySubcontext method, as well as perform CosNamingCreate operations. The special subject AllAuthenticated is the default policy for this role. The CosNaming roles are effective only when Global Security is enabled.