Security aspects for RMI-IIOP applications are defined by the Common Secure Interoperability V2 Specification. The AS Java Object Request Broker (ORB) implementation fully supports conformance level 0 of this specification. The client-side ORBmust also implement this specification so that the client can use the various security functions for executing methods on the remote objects.
You can make use of the following security aspects in your RMI-IIOP applications:
You can require that the messages transport is conducted over an SSL layer to ensure data integrity and confidentiality. Also, you can specify the handshake procedure to be used - one- or bi-directional.
You can specify the authentication mechanisms to be used for user authentication and the realm for which the client credentials are valid. The AS Java ORB currently supports authentication by username and password only.
Specifies whether caller identity assertion is supported.
All these security aspects are controlled by the application developer. This means that the developer configures the requirements for the server-side application using the deployment descriptors (in the case of EJB applications), or handles the task programmatically in the remote objects code. The client, on the other hand, uses the appropriate methods provided by the client-side ORB accordingly to authenticate itself to the server-side application and get access to its business methods.
In order to use security for RMI-IIOP applications, you must first configure your AS Java.