Bug 1157 - User not able to specify no authentication on a per object basis.
Summary: User not able to specify no authentication on a per object basis.
Status: ASSIGNED
Alias: None
Product: TAO
Classification: Unclassified
Component: SSLIOP Pluggable Protocol (show other bugs)
Version: 1.2.1
Hardware: All All
: P3 normal
Assignee: cleeland
URL:
Depends on:
Blocks:
 
Reported: 2002-02-27 16:59 CST by Tom Venturella
Modified: 2007-03-27 12:26 CDT (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Venturella 2002-02-27 16:59:51 CST
If a user specifies -SSLAuthenticate SERVER_AND_CLIENT, they cannot override 
this to no authentication on a per object basis.
Comment 1 Ossama Othman 2002-03-07 12:08:01 CST
I guess that this is mine.
Comment 2 Johnny Willemsen 2007-03-27 09:03:11 CDT
Steve, can this be rechecked by OCI, the report is about 1.2.1 which is ancient
Comment 3 Steve Totten 2007-03-27 09:36:15 CDT
Chris, when you have a chance, would you confirm whether or not this problem has
been fixed?
Comment 4 Johnny Willemsen 2007-03-27 09:38:56 CDT
If this hasn't been fixed, can then a regression be delivered? That way it is
much easier to see that this is broken, and when someone has time to work on the
fix, we can clearly see if things are working again
Comment 5 Chris Cleeland 2007-03-27 10:31:03 CDT
I will simply have to take some guesses as to what the original report means.  At first glance, it appears 
that this might mean that, if SERVER_AND_CLIENT is specified as the SSL authentication method, then 
there is some kind of failure if one tries to perform a set_policy_overrides() on the Quality of Protection for 
an individual Object Reference

I will try to look at it in my spare time and either come up with a variant of an existing test or a completely 
new test.
Comment 6 Chris Cleeland 2007-03-27 12:26:46 CDT
Spent a little more time looking at this and discussing, and the original report is ambiguous as to 
whether it's talking about the problem occurring from the server or from the client's perspective (or 
both).

It looks like what it wants is to be able to have SERVER_AND_CLIENT specified in the .conf, but then be 
able to get the equivalent of authenticate=NONE on a per-object basis.  Authentication is different from 
QoP, so I think we're talking about tweaking policies related to the Security::EstablishTrust policy.

It doesn't look like there's a test for this in the DOC repo, although there is an example created for the 
TAO Developer's Guide: Security/PolicyControllingApp.  We might be able to massage that example into 
a test.

The only problem I can foresee is that a lot of the SecurityLevel1 and SecurityLevel2 code has been 
foresaken in favor of SecurityLevel3.  But, the SecurityLevel3 implementation isn't as complete as the 
SecurityLevel1/2 code was.

It will take some time to figure out what to do, exactly.