Discussion:
[omniORB] omniNames security
Andrea Venturoli
2007-10-10 19:02:52 UTC
Permalink
Hello.
I've googled around for this, but found no exhaustive thread.
Forgive me if I'm saying something stupid, since I'm quite new to CORBA.

I'm developing a server application using omniORB; on startup this
server publish its address through omniNames and client will contact
omniNames to see how they can reach the server. (All quite usual so far :-)

My problem is that I couldn't find any sort of access control in
omniNames, so not only my server, but anyone could publish a (fake)
address and redirect the clients elsewhere!

The ideal situation would be let omniNames allow read-access to the
world, but write access to localhost only, or set a password/key, but
I'm open to any other means which would let me achieve a secure setup.

Any hint/comment/insight?

bye & Thanks
av.
Andrew Edem
2007-10-10 19:35:20 UTC
Permalink
Hi Andrea,

Unfortunately CORBA is not designed to provide publicly available
services over Internet.

It is possible to use SSL with CORBA including client cetificates to
limit access to servants from other trusted servants. However, they key
here is 'trusted'. You never want to allow access to your CORBA bus from
any application which is not trusted.

Thus it is important when designing and deploying CORBA-based systems to
ensure that the transport is protected either physically (separate
network) or cryptographically (SSL/VPN/IPsec/firewall) so that only
'trusted' clients can connect.

Hope that helps,


Cheers,
-Andrew
Post by Andrea Venturoli
Hello.
I've googled around for this, but found no exhaustive thread.
Forgive me if I'm saying something stupid, since I'm quite new to CORBA.
I'm developing a server application using omniORB; on startup this
server publish its address through omniNames and client will contact
omniNames to see how they can reach the server. (All quite usual so far :-)
My problem is that I couldn't find any sort of access control in
omniNames, so not only my server, but anyone could publish a (fake)
address and redirect the clients elsewhere!
The ideal situation would be let omniNames allow read-access to the
world, but write access to localhost only, or set a password/key, but
I'm open to any other means which would let me achieve a secure setup.
Any hint/comment/insight?
bye & Thanks
av.
_______________________________________________
omniORB-list mailing list
http://www.omniorb-support.com/mailman/listinfo/omniorb-list
Jason Etheridge
2007-10-11 01:20:01 UTC
Permalink
Post by Andrea Venturoli
My problem is that I couldn't find any sort of access control in
omniNames, so not only my server, but anyone could publish a (fake)
address and redirect the clients elsewhere!
The ideal situation would be let omniNames allow read-access to the
world, but write access to localhost only, or set a password/key, but
I'm open to any other means which would let me achieve a secure setup.
Given what you're describing, one solution would be to implement a
very simple CORBA server (let's call it NameLookup) that implements a
subset of CosNaming, where that subset includes the read-only
operations like lookup(). The implementation of those operations would
call through to an omniNames server that runs separately.

You'd then publish the IOR of your NameLookup server to the world,
which people would use as a regular naming service to look up your own
services. Internally, your own services would be talking directly to
the omniNames server to bind their own names; the omniNames server
would have no visibility outside of your local network (i.e., no one
would ever know its IOR).

Using omniORBpy, doing this kind of read-only facade (or anything else
for that matter!) is incredibly easy. :-)
--
Jason Etheridge mailto:***@etheridge.org
Duncan Grisby
2007-10-11 16:37:54 UTC
Permalink
Post by Andrea Venturoli
I'm developing a server application using omniORB; on startup this
server publish its address through omniNames and client will contact
omniNames to see how they can reach the server. (All quite usual so
far :-)
My problem is that I couldn't find any sort of access control in
omniNames, so not only my server, but anyone could publish a (fake)
address and redirect the clients elsewhere!
The CORBA naming service specification, and hence omniNames, is an
incredibly simple thing. It was never intended to be used in complex
situations, or situations where security is an issue.

Given that it's just a simple mapping from names to objects, it's very
easy to implement your own name mapping server that have whatever access
restrictions are appropriate for your application.

Or, as Jason Etheridge suggested, you could make a simple proxy server
to omniNames that implements the access control you want. You can easily
implement the standard CosNaming interfaces and just throw
CORBA::NO_PERMISSION from any methods that shouldn't be used.

Cheers,

Duncan.
--
-- Duncan Grisby --
-- ***@grisby.org --
-- http://www.grisby.org --
Loading...