COM/COM+ Security
How does RPC security relate to COM+ security? I made the statement
earlier that every DCOM call is actually an RPC call. When you use
remoting in COM+, as you learned in Chapter 5, the
client talks to a server object through a proxy, and the object
receives calls through the stub. Deep in the proxy/stub code is the
code that makes RPC calls. As you learned in the previous section,
for an RPC call to be secured, you must call the
RpcBindingSetAuthInfoEx
function. What COM+
provides are high-level API functions for setting the parameters of
RpcBindingSetAuthInfoEx
. The two most important
functions (the ones we are going to discuss here) are
CoInitializeSecurity
and
CoSetProxyBlanket
.
In RPC, when the client wanted to make secured calls, it had to call
RpcBindingSetAuthInfoEx
for each binding handle;
this is the equivalent in COM+ of making a similar call once for each
interface in each object. The server had even more work to do because
it had to evaluate each call and decide whether the security level of
the call was sufficient, and then accept or reject the call based on
its evaluation.
Because in COM+ the proxy/stub code wraps the RPC code, it is possible for COM+ to automate the process and minimize the work that the client and the server have to do. For example, on the client side, we can tell COM+ at program startup what level of authentication to use for all of its RPC calls. On the server side, COM+ enables us to tell it the minimum level of security that ...
Get COM+ Programming with Visual Basic now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.