xrootd
Loading...
Searching...
No Matches
Public Member Functions | List of all members
XrdSecService Class Referenceabstract

#include <XrdSecInterface.hh>

Inheritance diagram for XrdSecService:
Inheritance graph
[legend]

Public Member Functions

virtual const char * getParms (int &size, XrdNetAddrInfo *endPoint=0)=0
 
virtual XrdSecProtocolgetProtocol (const char *host, XrdNetAddrInfo &endPoint, const XrdSecCredentials *cred, XrdOucErrInfo &einfo)=0
 
virtual bool PostProcess (XrdSecEntity &entity, XrdOucErrInfo &einfo)
 
virtual const char * protTLS ()=0
 
 XrdSecService ()
 Constructor.
 
virtual ~XrdSecService ()
 Destructor.
 

Detailed Description

Example:

#include "XrdVersion.hh"
XrdVERSIONINFO(XrdSecGetProtocol,<name>);

extern "C" XrdSecProtocol *XrdSecGetProtocol
                                    (const char             *hostname,
                                           XrdNetAddrInfo   &endPoint,
                                           XrdSecParameters &sectoken,
                                           XrdOucErrInfo    *einfo=0)
                                    {....}

The XrdSecGetProtection function returns a protection object to secure an XRootD request stream from injection attacks. An object is returned when the response to kXR_protocol request indicates that the server requires that the client secure the connection. This protection is based on the authentication method used. Therefore, authentication must occur before a protection object can be obtained. Usually, a protection object is requested right after authentication. The function description is

Parameters
rcWhere an error return code is to be placed.
aprotUses the authentication protocol to protect requests. It must be supplied and must be he protocol the client used for authentication. Hence, authentication must occur first.
prespThe protocol value returned in response to kXR_protocol. The value must be host byte order.
Returns
>0 pointer to the protect object placed in protP.
=0 No protection is needed, protP set to zero.
<0 An error occurred getting the protection object the return value is -errno and protP has been set to zero.

Simply declare the following in the place where this is called:

extern int XrdSecGetProtection(XrdSecProtect *&protP, XrdSecProtocol &aprot, kXR_int32 presp);

The XrdSecService object is the the object that the server uses to obtain parameters to be passed to the client on initial contact and to create the appropriate protocol on the initial receipt of the client's credentials. Server-side processing is a bit more complicated because the set of valid protocols needs to be configured and that configuration needs to be supplied to the client so that both can agree on a compatible protocol. This object is created via a call to XrdSecgetService, defined later on. You may replace the default implementation by defining a plugin via the seclib directive.

Warning: The XrdSecService object as well as any objects returned by it should be MT-safe.

Constructor & Destructor Documentation

◆ XrdSecService()

XrdSecService::XrdSecService ( )
inline

Constructor.

◆ ~XrdSecService()

virtual XrdSecService::~XrdSecService ( )
inlinevirtual

Destructor.

Member Function Documentation

◆ getParms()

virtual const char * XrdSecService::getParms ( int &  size,
XrdNetAddrInfo endPoint = 0 
)
pure virtual

Obtain security parameters to be sent to the client upon initial contact.

Parameters
sizeWhere the length of the return parameters are to be placed.
endPointThe client's address information. It may also be a null pointer if the client's host is immaterial.
Returns
EITHER The address of the parameter string (which may be host-specific if hname was supplied). The length of the string must be returned in size parameter. OR A null pointer if authentication need not occur for the client. The size parameter should be set to zero as well.

Implemented in XrdSecServer.

◆ getProtocol()

virtual XrdSecProtocol * XrdSecService::getProtocol ( const char *  host,
XrdNetAddrInfo endPoint,
const XrdSecCredentials cred,
XrdOucErrInfo einfo 
)
pure virtual

Obtain a protocol object suitable for authentication based on cred and possibly based on the hostname or host address, as needed.

Parameters
hostThe client's host name or the IP address as text. An IP may be supplied if the host address is not resolvable or resolution has been suppressed (i.e. nodnr). Use endPoint to get the hostname if it's actually needed.
endPointthe XrdNetAddrInfo object describing the client end-point.
credThe initial credentials supplied by the client, the pointer may be null if the client did not supply credentials.
einfoThe structure to record any error messages. These are normally sent to the client.
Returns
Success: Address of protocol object to be used for authentication. If cred was null, a host protocol object shouldpo be returned if so allowed. Failure: Null, no protocol can be returned. The einfo parameter, if supplied, has the reason.

Implemented in XrdSecServer.

◆ PostProcess()

virtual bool XrdSecService::PostProcess ( XrdSecEntity entity,
XrdOucErrInfo einfo 
)
inlinevirtual

Post process a fully authenticated XrdSecEntity object.

Parameters
entityThe fully authenticated entity object.
einfoThe structure to record any error messages. These are normally sent to the client. If einfo is a null pointer, the messages should be sent to standard error via an XrdSysError object using the supplied XrdSysLogger when the the plugin was initialized.
Returns
Success: True should be returned. Failure: False should be returned and the einfo object should hold the reason. In this case the authentication fails.

Reimplemented in XrdSecServer.

◆ protTLS()

virtual const char * XrdSecService::protTLS ( )
pure virtual

Get a list of authentication protocols that require TLS.

Returns
Pointer to a list of protocols that require TLS or a nil if none.

Implemented in XrdSecServer.


The documentation for this class was generated from the following file: