Problem:
- Product Name: VisiBroker
- Product Version: 5.2 and above
- Product Component: NamingService support library
- Platform: All
- JDK/Compiler: All supported
How to configure NS such that Clients do not need authentication to resolve naming service
More specifically, how to configure the naming service, in such a way that "Anonymous" users must be able to only "resolve" the naming context and Server "Administrator" only will be able to "bind", "create context", "rebind", etc. ie. username/password should be asked only for the server side and not for the clients. (There will be 1000"s of client spread across internet and they cant provide authentication information).
Resolution:
In order to make the client can act as an anonymous identify to access the naming service resolve method, the following 3 changes are needed.
- Remove the authentication requirement on Naming Service.
In naming.props (the property used to start naming service) ensure requireAuthentication is disabled:
#vbroker.naming.security.requireAuthentication=true
This will allow a client to connect to naming service as anonymous. - Grant access control in Role-based access control file:
In naming.required_roles, the full content will be as below:
required_roles.Context.bind=Administrator.........
This way, only the "modification" method would require "Administrator" role; while the rest methods are all granted to all by default (Of course, one can further fine tunes the setting for different level of granularity)
required_roles.Context.bind_new_context=Administrator
required_roles.Context.list=Administrator
required_roles.Context.destroy=Administrator
required_roles.Context.resolve=
required_roles.all= - In naming_client.props(This refers to the property file client used,not the server used, since the server still needs the Admin identify in order to use the bind method), the full content:
vbroker.security.disable=false
Notice the 3rd and 4th lines are commented out.This way the client does NOT need to provide any login information, i.e.it will act as anonymous automatically.So please start the server as following:
vbroker.security.login=true
#vbroker.security.authentication.callbackHandler=com.borland.security.provider.authn.HostCallbackHandler
#vbroker.security.authentication.config=naming_client.config
> vbj -DSVCnameroot=NameService -DORbpropStorage=naming_client.props Client - naming_server.props is created because the server needs the Admin to identify in order to use bind methods, rebind, new_context, etc.
vbroker.security.disable=false
Now, you can start server as following:
vbroker.security.login=true
vbroker.security.authentication.callbackHandler=com.borland.security.provider.authn.HostCallbackHandler
vbroker.security.authentication.config=naming_client.config
> vbj -DSVCnameroot=NameService -DORBpropStorage=naming_server.props Server
Old KB# 26693
#NamingService
#Security
#VisiBroker
