Manualshelf

OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
561562563564565566567568569570
Chapter 26. The Extended Privilege Attribute
API
This chapter describes the extended privilege attribute (EPA) API. The EPA facility
addresses the requirements of complex distributed systems by allowing clients and
servers to invoke secure operations via one or more intermediate servers.
In a simple client/server distributed environment, most operations involve two principals:
the initiator of the operation and the target of the operation. The target of the operation
makes authorization decisions based on the identity of the initiator. However, in
distributed object-oriented environments, there is frequently a need for server principals
to perform operations on behalf of a client principal. In these cases, it may not be
enough for authorization decisions to be based simply on the identity of the initiator
since the initiator of the operation may not be the principal that requests the operation.
To handle these cases, the EPA API provides routines that allow principals to operate on
objects on behalf of (as delegates of) an initiating principal. The collection of the
delegation initiator and the intermediaries is referred to as a delegation chain.
Using the EPA API and related sec_login_*()calls, an application may be written that
allows client Principal A to invoke an operation on server Principal C via server
Principal B. The DCE Security Service will know the true initiator of the operation
(Principal A) and can distinquish the delegated operation from the same operation
invoked directly by Principal A.
The EPA interface consists of the security credential calls (sec_cred_*()) that extract
privilege attributes and authorization data from an opaque binding handle to
authenticated credentials. In addition, the following sec_login_*()calls of the login API
are used to establish delegation chains and to perform other delegation related functions.
sec_login_become_initiator()
sec_login_become_delegate( )
sec_login_become_impersonator( )
sec_login_cred_get_delegate()
sec_login_cred_get_initiator()
sec_login_cred_initialize_cursor()
124245 Tandem Computers Incorporated 261