access to server application

Hi,
I have a system consisting of 3 elements:
- application written in C++ using CORBA API interface working as a
server process on Windows 2003 server,
- CORBA Name Server, working on the same machine,
- clients - applications written in Java working on Windows station in
the internal network of company (they do not have a permanent IP
address);
All this tree elements work together in an internal network of big
company.
Clients communicate with server by TCP on a known port.
My problem is that every single host with a client installed on it can
connect to the server and this solution is not safe (because of data
access which can be made on a server).
I need a solution which will have a list of authorized users (login +
password) and only those users will be able to connect to the server.
I thought about solution using IPsec, with filtering IP, but clients do
not have permanent IP. Besides this solution is not good because I wont
users to be filtered not IPs.
Any ideas? Any ready to use software? Any Windows system solutions?
Thx for any idea of solution:)
Lolek1021

Re: access to server application

lolek1021@wp.pl wrote:
[CORBA implementation]
> I need a solution which will have a list of authorized users (login +
> password) and only those users will be able to connect to the server.

CORBA does not solve such problems. You have to implement authentication
in your server yourself.

Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r

Re: access to server application

Hi,
What I forgot to say: I have ready to use programs and I can't and I
really do not want to make any modiffications in them. I rather look
for any:
system solutions (is that possible to ask users for login and passoword
when they are trying to connect to a specified port)
or other solution whih let me to build a kind of proxy authorization.
Thx,
Lolek1021

Re: access to server application

lolek1021@wp.pl wrote:
> What I forgot to say: I have ready to use programs and I can't and I
> really do not want to make any modiffications in them. I rather look
> for any:
> system solutions (is that possible to ask users for login and passoword
> when they are trying to connect to a specified port)
> or other solution whih let me to build a kind of proxy authorization.

Yes, you should have a IIOP proxy then, which does the authentication.
http://www.google.de/search?q=iiop+proxy+authentication

Yours,
VB.
--
"Wir transportieren den Sand jetzt schon mit Kipplastern. Wenn wir
auch noch die Eier und das Heizöl mit Kipplaster fahren, können wir in
der Fahrerabteilung eine Menge Synergien heben". Und schon fliegen die
Powerpoints... - Holger Marzen über "Consultants" in d.a.s.r

Re: access to server application

In article <1136910118.038706.58540@o13g2000cwo.googlegroups.com>,
lolek1021@wp.pl wrote:

> Hi,
> I have a system consisting of 3 elements:
> - application written in C++ using CORBA API interface working as a
> server process on Windows 2003 server,
> - CORBA Name Server, working on the same machine,
> - clients - applications written in Java working on Windows station in
> the internal network of company (they do not have a permanent IP
> address);
> All this tree elements work together in an internal network of big
> company.
> Clients communicate with server by TCP on a known port.
> My problem is that every single host with a client installed on it can
> connect to the server and this solution is not safe (because of data
> access which can be made on a server).
> I need a solution which will have a list of authorized users (login +
> password) and only those users will be able to connect to the server.
> I thought about solution using IPsec, with filtering IP, but clients do
> not have permanent IP. Besides this solution is not good because I wont
> users to be filtered not IPs.
> Any ideas? Any ready to use software? Any Windows system solutions?
> Thx for any idea of solution:)
> Lolek1021

Put the server behind a firewall that supports VPNs, and require users
to use a client-to-gateway VPN that performs authentication.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: access to server application

Barry Margolin wrote:

> Put the server behind a firewall that supports VPNs, and require users
> to use a client-to-gateway VPN that performs authentication.


IIRC, running CORBA over VPN isn't straightforward. Issues with mutable
fields or something like that. Depends on configuration.

-- Lassi

Re: access to server application

In article <8a3xf.19072$_k2.320874@news2.nokia.com>,
Lassi Hippeläinen wrote:

> Barry Margolin wrote:
>
> > Put the server behind a firewall that supports VPNs, and require users
> > to use a client-to-gateway VPN that performs authentication.
>
>
> IIRC, running CORBA over VPN isn't straightforward. Issues with mutable
> fields or something like that. Depends on configuration.

I don't know much about CORBA, and have no idea what a "mutable field"
is, but a properly implemented VPN should be totally transparent to the
network layer and all the layers above it. VPNs create a virtual
interface that TCP/IP uses just like an ordinary NIC.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: access to server application

Barry Margolin wrote:

> In article <8a3xf.19072$_k2.320874@news2.nokia.com>,
> Lassi Hippeläinen wrote:
>
>> Barry Margolin wrote:
>>
>> > Put the server behind a firewall that supports VPNs, and require users
>> > to use a client-to-gateway VPN that performs authentication.
>>
>>
>> IIRC, running CORBA over VPN isn't straightforward. Issues with mutable
>> fields or something like that. Depends on configuration.
>
> I don't know much about CORBA, and have no idea what a "mutable field"
> is, but a properly implemented VPN should be totally transparent to the
> network layer and all the layers above it. VPNs create a virtual
> interface that TCP/IP uses just like an ordinary NIC.

I'm no CORBA expert either, but I seem to remember that in some cases the
intermediate nodes may need to read or even modify some fields in CORBA
messages. In that case you can't use an end-to-end VPN.

If CORBA security were simple, there wouldn't be a huge pile of documents
describing it:
http://www.omg.org/technology/documents/formal/omg_security. htm
Most of it seems to be about authentication and authorisation, not so much
about transport.

-- Lassi